Third-party vendor access is vital to almost every organisation in operation, in today’s ultra-connected world. These third-party services maintain and support these organisations’ internal systems and resources. This means they have to access companies’ internal accounts and infrastructure, and in turn means that their use is accompanied by the need to ensure security vulnerability in this area does not become an issue. Third-party access can be an underestimated problem.
Past data breaches show that third-party use is a common denominator shared between many successful cyber-attacks. Regus, for example, experienced a highly-contentious breach earlier this year when sensitive data associated with the business’s workforce ended up being published publicly online. The breach was later found to be a direct result of unsecured third-party access from a vendor being used to assess employee performance through the use of clandestine cameras.
With the use of third parties clearly rising, as shown by recent data, the threats that accompany will only follow.
The rise in popularity of third-party vendors
Data from our recent study shows that a quarter of businesses use over 100 third-party vendors. Most of these require access to internally held applications, data, and company assets in order to carry out their day-to-day tasks. That’s a truly astounding number of third-party accounts that are in need of securing.
Our study also found that 90% of respondents allow third parties to access not only internal resources, but critical internal resources. That should be an immediate cause for attention for any CISO. When a third-party has access to critical data, the team in question immediately becomes only as fast as its slowest man. In other words, businesses relying on external vendors might have implemented excellent cybersecurity measures themselves, but this all means nothing when the vendor’s access controls are insecure.
For many organisations, securing third-party vendor access is incredibly complex – often requiring a cobbled-together solution of products like multi-factor authentication, VPN support, corporate-shipped laptops, directory services, agents, and more. This has not only led to confusion and overload for security practitioners, but also creates tangled and often insecure routes for third parties to access the systems they need to do their jobs.
Being mindful of the exposure
Even though the risk presented by third-party use is often blatant, with vendors requiring access to critical assets, organisations continue to not treat these threats as seriously as they should. When 89% of businesses are either entirely unhappy or at the very least felt they could do better with their efforts to secure third-party access, the fault lines are evident on the surface. On top of this, third-party access was named as a top 10 organisation-wide security risk, alongside similarly dangerous threats such as phishing, insider threats, and cloud abuse – the exploitation of cloud vulnerabilities by cybercriminals.
Securing third-party access, then, is finally becoming a top priority for organisations, and with good reason. These attacks and resulting data breaches can be incredibly costly, both in terms of reputation and financial losses.
Despite this, the same businesses are overwhelmingly dissatisfied with how they currently approach managing and securing access for these remote vendors.
Ensuring the right level of security
When third-party access is a top 10 security risk, it seems contradictory that this specific type of access is often left unsecured.
In truth, providing access to external and internal accounts can be a challenging process. It’s all about hitting the cybersecurity sweet spot. Too much access can lead to a higher chance for data leakage or attack. Too little access would mean that some third-party vendors and similar users would struggle to complete their tasks, which often require very specific internal assets. The level of access, in other words, needs to hit the sweet spot.
Legacy solutions currently dominate. Most modern organisations rely on VPNs to secure third-party access, but these were not designed to manage the dynamic privileged access that is a feature of modern requirements, like role-based access protection and session recording. Companies also don’t have a holistic view of what third-party vendors are doing once they authenticate, and that is a serious problem. Best practice is to record, log, and monitor privileged activities, a common requirement for audit and compliance.
As organisations depend more and more on third parties to get the work done, the security difficulties they face become harder and harder to ignore. Without a dedicated solution for managing third-party privileged access, organisations have been forced to use miscast solutions like VPNs.
There are a couple of clear remedies for this problem. The first answer is to swiftly set up secure, structured, and multi-levelled privileged access controls. By introducing a process governing the types of data and assets that can be accessed by third parties and running it on a case-by-case basis, businesses can take a big step towards building a more effective defence against third-party vulnerabilities.
Alternatively, ‘all-in-one’ SaaS-based subscriptions to security are also now available. These more novel solutions provide a combined approach by integrating standard security tools and services, including privileged access management, resulting in an easy-to-implement solution to securing third-party access. As a result, where securing one of businesses’ top security risks was once complex, organisations can now access all the tools they need through a single package, which creates a much more digestible approach for businesses who don’t want to deal with the potential complexity and skills requirement of robust security measures.
Security measures implemented to ward off unwanted data leakage or cyber-attacks coming as a result of third-party access are an ongoing problem that need to be addressed. Data breaches, such as the one that Regus suffered, stand testament to the legitimacy of this concern. Massive business impact can come as a result of improper access measures. With modern easy-to-implement solutions readily available for business use, there is no excuse for organisations not to be aiming for that security sweet spot every time.