Cyber defenses are faltering under the pressure of digital complexity. The interconnected nature of today’s digital world has made it easier for users, third-party vendors, and cyber criminals to compromise organizational security, whether intentionally or unintentionally.
By necessity, most businesses have become heavily reliant on the services of vendors and contractors to meet growing consumer demands. But this has made access to the information, people, goods, and services we rely on a lot more vulnerable than we realize.
Everyone accessing organizational assets and systems presents a potential point of failure, whether a vendor, a contractor, an employee, or a privileged user. The Crowdstrike outage and other cyberattacks and breaches are a stark reminder of how vulnerable our supply chains are and how quickly one incident can have a ripple effect on our way of life.
Compromised credentials –including credentials for privileged and third-party accounts–remain a frequent method hackers use to gain network access – something that many businesses address by implementing Zero Trust networks and passwordless authentication.
But with attack methods constantly evolving and third-party vulnerabilities being the top cause of data breaches in 2023, it’s critical to ask if the current approach is sufficient in the face of modern threats. Clearly, many are falling short when it comes to securing third-party network access, and it’s time to reconsider what’s needed to mitigate this high-risk threat.
Third-party access: necessary but risky
From vendors to partners to contractors, third parties are a vital and inevitable part of today’s business environment. And whether it is to provide technical support, collaborate on key initiatives, or something different, this means these third parties need access – and in many cases, elevated access to critical company resources or highly sensitive information.
With this level of access comes risk – 56% of organizations report having experienced a third-party data breach. In the majority of these breaches, the cause was providing too much privileged access to third parties. Yet despite the significant and acknowledged risk, more than half of organizations say they do not have effective controls in place to mitigating third-party access risk.
So, if the risk is well understood, why is third-party access so difficult to manage? Very often, it is because organizations attempt to provision and manage third-party remote access credentials in the same way as employee or internal privileged admin credentials. This introduces risk, including:
- Login information is routinely shared amongst users within the third-party: It is virtually impossible to know the actual individual who is accessing the network, even if third parties are required to use the company’s VPN and AD.
- Third-party access is often left active after it is needed: Third-party access should be restricted to a specific time period, but this is difficult to do when provisioning vendor access via Active Directory, as it requires IT to remember to deprovision access.
- Granular control options are limited: If third parties access the network in the same way as employees, organizations will not have granular control over how, when, and what third-parties can access.
Steps to mitigate the risk
To mitigate this risk, it’s critical for organizations to implement strict access controls and monitor third-party activities to prevent data breaches and unauthorized access. Organizations should adopt a comprehensive approach to managing this risk, following these steps:
- Define the Attack Surface: Clearly identify all entry points into your system and understand where and when data can be extracted, and which points are most sensitive.
- Adopt a Realistic Security Information Plan: Ensure you know who is connecting to your network and how. Educate all employees and vendors about third-party access risks, implementing MFA to enhance security.
- Control Network Access: Apply the principle of least-privilege access, granting third-party vendors only the access necessary to perform their tasks and eliminating broad access methods like VPNs, ensuring they do not control credentials, even to the systems they need to access. This minimizes the potential damage from common attack vectors introduced by third parties.
- Audit User Actions: Implement solutions that track and audit the granular actions of any authorized users on your network. This helps in identifying and responding to suspicious activities promptly.
This approach also protects against financial and reputational damage and ensures compliance with regulations like PCI DSS and HIPAA, maintaining data privacy and integrity.
Taking third-party access seriously
The risks associated with third-party access are too significant to ignore, and IT leaders must take a comprehensive approach to modernize their approach to ensure operational integrity through robust access management. By doing so, organizations can protect their networks from potential breaches and ensure the integrity of their operations.
Comments
Post a Comment