BR +55 11 3069 3925 | USA +1 469 620 7643

  • BLOG
  • Português
  • BR +55 11 3069 3925 | USA +1 469 620 7643
  • Português
logo senhasegura
  • SOLUTIONS
  • PRODUCTS
  • SERVICES AND SUPPORT
  • PARTNERS
  • COMPANY
  • CONTACT
  • DEMO

Compliance

and Audit

Audit

PCI DSS

SOX

ISO 27001

HIPAA

NIST

GDPR

ISA 62443 |

Industry 4.0

Security and

Risk Management

Privilege Abuse

Third Party Access

Privileged Access Recording

Insider Threat

Data Theft Prevention

Hardcoded Passwords

Password Reset

Solutions

By Industry

Energy and Utilities

Financial

Government

Health Care

Legal

Telecoms

Retail

senhasegura

Testimonials

See Testimonials

360º Privilege Platform

Account and

Session

PAM Core

Domum

Remote Access

MySafe

GO Endpoint

Manager

GO Endpoint

Manager Windows

GO Endpoint

Manager Linux

DevOps Secret

Manager

DevOps Secret

Manager

Multi

Cloud

Cloud IAM

Cloud Entitlements

Certificate

Manager

Certificate

Manager

Privileged

Infrastructure

PAM Crypto Appliance

PAM Load Balancer

Delivery : On Cloud (SaaS) | On-premises | Hybrid

Services

and Support

Documentation

Solution Center

Suggestions

Training and Certification

Deployment and Consulting

PAMaturity

PAM 360º

Support Policy

senhasegura

Resources

Rich Materials

Customer Cases

Webinars Calendar

senhasegura Stickers

BLOG

CONTENT

Is your company really prepared for a cyber attack?

The Pillars of Information Security

7 signs that your company needs to improve the security of sensitive data

See more articles about cybersecurity

Technical

Information

How it works

Product Archicture

Integration

Security

High availability and contingency

Privileged Auditing (Configuration)

Privileged Change Audit

Features and

Functionalities

ITSM Integration

Behavior Analysis

Threat Analysis

Privileged Information Protection

Scan Discovery

Task Management

Session Management (PSM)

Application Identity (AAPM)

SSH Key Management

Affinity Partner

Program

About the Program

Become a Partner

MSSP Affinity Partner Program

Security Alliance Program

Academy | E-learning for Certification

Affinity

Portal

Portal dedicated only for Partners to find commercial, marketing supporting materials and certification program of senhasegura.

Access Partner Portal

Opportunity

Booking

For our Commercial Team to support your sale more effectively, request your opportunity booking here.

Opportunity Booking Request

Find a

Partner

We work together to offer a better solution for your company.

Check all senhasegura partners

About

Company

About us

Achievements

Why senhasegura

Press Release

Press Room

Events

Career

Presence in the World

Terms of Use

End User License Agreement (EULA)

Privacy and Cookie Policy

Information Security Policy

Certification at senhasegura

senhasegura

Testimonials

See Testimonials

Latest Reports

and Awards

KuppingerCole Leadership Compass Report for PAM 2023

Frost & Sullivan Customer Value Leadership Award 2022

Gartner PAM Magic Quadrant 2021 Report

KuppingerCole Leadership Compass: PAM 2021

GigaOm Radar Report 2021

Gartner PAM Magic Quadrant 2020

Gartner Critical Capabilities for PAM 2020

Information Services Group, Inc. (ISG)

KuppingerCole Leadership Compass: PAM 2020

Contact our team

Request a Demonstration

Third Party Access: A Problem for Today’s Organizations

by senhasegura Blog Team | Apr 22, 2022 | BLOG

The extent of the use of third parties to carry out activities in companies today is really surprising. Companies are increasingly looking to outsource internal functions and operations and external services.

According to the study, a quarter of companies said they use more than 100 third-party vendors, mostly requiring access to internal assets, data and business applications to operate effectively and fulfill their contracts.

The study also found that 90% of respondents allow third parties to access not only internal resources, but critical internal resources as well. This should be an immediate cause for attention for any CISO.

Companies that rely on third-party vendors may have implemented excellent cybersecurity measures, but it all means nothing when the vendor’s access controls are insecure.

For many organizations, securing access from third-party providers is incredibly complex – often requiring solutions like multi-factor authentication, VPN support, corporate laptops shipped to companies, directory services, agents, and more.

Not only does this create confusion and overhead for security professionals, it also creates tangled and often unsafe routes for third parties to access the systems they need to do their jobs.

 

Continue reading the article and learn how third-party abuse is a major cybersecurity risk for businesses.

Third-party-related attacks are on the rise

 

Third parties may not take network security as seriously as you would like. Knowing this, cybercriminals can choose not to attack your business directly. Instead, they may look for an easier target among their third-party vendors.

A compromised subcontractor can easily be turned into an entry point for cybercriminals. This is how a supply chain attack works.

Meanwhile, the number of third-party organizations they work with, as well as the amount of sensitive data disclosed to them, increases every year. The same goes for data breaches caused by third parties.

Here are just a few examples of cybersecurity incidents involving third parties.

Magecart Attacks

Since 2015, a group of cyber criminals called Magecart has carried out several attacks on major retailers across the world.

The group is believed to be responsible for the recent attacks on Ticketmaster, British Airways, Newegg, Feedify and Magento stores. Magecart hackers often infect third-party web services used by their victims to steal valuable information, particularly credit card data.

Atrium Health Data Breach

 In 2018, Atrium Health suffered a data breach that resulted in the personal information of over 2.65 million patients being exposed. The breach was caused by a compromise of servers used by one of Atrium Health’s billing providers.

Amazon Data Leak

 In 2020, Amazon, eBay, Shopify, and PayPal fell victim to a massive data breach. A third-party database of approximately eight million UK online shopping transactions has been published online.

 

Notably, this is not the first time that Amazon has suffered from third-party incidents. In 2017, attackers broke into various third-party vendors working with Amazon and used their credentials to perform malicious actions in the environment.

General Electric (GE) Data Breach

 In 2020, GE reported a data breach caused by one of its service providers. A compromised email account led to the public exposure of personally identifiable information from current and former GE beneficiaries and employees.

 Depending on the nature of the outsourced supplier’s commitment, an organization may face different risks. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.

 

What are the risks involving third-party access?

 The financial and technical capabilities of small service providers and subcontractors do not always match the capabilities of their customers. So, while looking to succeed in their efforts, cybercriminals can start small and look for an easy target in their supply chain.

A compromised third-party vendor can lead to a number of risks that can be broken down into four main categories:

  • Cybersecurity Risks: Subcontractors often have legitimate access to different environments, systems and data of their customers. Attackers can use a third-party vendor as an entry point to try to get your valuable assets.
  • Operational Risks: Cybercriminals can target your internal systems and the services you use instead of just your data. This can lead to partial interruptions of your operations or even stop them completely.
  • Compliance Risks: International, local, and industry-specific standards and regulations define strict cybersecurity criteria that organizations must meet. In addition, third parties working with these organizations must also comply with these requirements. Non-compliance often leads to substantial fines and reputational damage.
  • Reputation Risks: Having your valuable data and systems compromised serves as a red flag for your partners and customers, current and future. Regaining your confidence will take a lot of time and effort. And unfortunately, there is no guarantee that you will be able to successfully restore your reputation after a serious cybersecurity incident.

The reason many organizations struggle so hard to secure their work with third parties is a lack of two things: visibility and control. Companies are often unaware of what their third-party vendors do with their critical data and systems.

Are you enjoying this post? Join our Newsletter!

Newsletter Blog EN

9 + 5 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

What are the specific threats involving third-party access?

To make your cooperation with subcontractors more secure, you need to understand what threats they may pose to your company’s cybersecurity.

Let’s focus on four common types of threats:

  • Misuse of Privileges: Third-party vendors may violate the access privileges you grant them in a variety of ways and for a variety of reasons. Your subcontractor’s employees may voluntarily pass their credentials on to others. Or, if access permissions on your network aren’t configured correctly, a third-party vendor could gain access to data that shouldn’t be shared with them.
  • Human Errors: Inadvertent errors by your subcontractor’s employees can cause as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, entering incorrect data, and misconfiguring systems and solutions. While unintentional, these errors can still lead to data leaks, service interruptions, and significant revenue losses.
  • Data Theft: In addition to unintentional data damage, there is a high risk of data theft directed by third parties. Without a proper third-party vendor management policy, there is a risk that third-party employees will steal valuable business information and use it to their advantage.
  • Third-party risks from your third parties: Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices is not enough. You also need to understand how they manage their own supply chains.

Fortunately, you can effectively manage all of these risks and threats by following a set of risk management best practices from third-party vendors that will significantly improve your company’s cybersecurity resilience.

What are the technical controls to mitigate third-party access?

Ensuring a high level of access control is especially important if your third parties have access to your company’s privileged accounts, critical assets and confidential information.

The organization has visibility into the reasons and metrics, allowing it to better manage risk. Technical controls can be implemented to help manage risk.

Technical controls include:

Multi-factor authentication (MFA)

When accessing systems, there is no reason not to use MFA. It is vital as it is a difficult obstacle for attackers to overcome. This should be used as a first line of defense and mandatory third-party access control.

Centralized Access  Management

Centrally managing access helps with technical and administrative actions that need to be performed. If access can be seen and controlled centrally, it is easier to manage.

In the absence of a central system, the organization should consider its implementation for simplified management. Simple and safe often go hand in hand.

Centralized Access Gateway

A gateway used by a third party to access systems is useful. This helps with access management as it provides a central point of focus. It is equivalent to a castle gate where guards are stationed.

That’s not to say that with control in place, other areas don’t need to be monitored, however, having this central access point creates a security focal point.

Virtual Private Networks (VPN)

Ensuring that access to systems is secure from a network perspective is also essential. Using VPN or SSL/TLS level security for the central point is a safer way than not having this protection.

Third parties do not always have the equivalent or better level of security that an organization can have, and securing access through encrypted networks increases security.

It is not the only control required, a combination of controls must be implemented to effectively mitigate the risk. Some organizations tend to opt for one control or the other.

Recorded Access

Written access is a great control to implement in your environment. It protects both the organization and the third party. If the organization has a record of what happened, they can trace the steps and reverse the issue or at least resolve it.

Also, with recorded access, there should be no doubt about what happened. It’s all recorded in the digital record. At first, some people may reject the idea, but once used, the value of control is quickly demonstrated – it becomes a powerful tool.

The above technical controls are only effective if used correctly and actually used. Without the resources to implement, operate, monitor and manage the defenses, their benefits will not be realized.

If an organization presents an easy target, the likelihood of a breach increases. Therefore, it is vital to ensure that the controls in place are adequate to guide the organization’s staff and trusted third parties at the level necessary for them to operate in a manner that limits risk.

A powerful PAM solution can help

For today’s organizations, outsourcing has become a vital part of running an efficient and innovative business. As companies add new suppliers at an unprecedented rate, it is more important than ever to minimize the risks that third parties add to the business environment.

With a comprehensive third-party risk management strategy, companies can leverage the expertise and cost savings that third parties provide, while protecting themselves from the wide range of risks this modern work environment presents.

As you consider your third-party risk management strategy, a strong privileged access management (PAM) solution can help protect and control third-party access to your critical assets.

senhasegura integrates with leading systems and applications to automate workflows throughout the user lifecycle, enforce policy-based controls, and detect anomalies and unauthorized access attempts.

PAM also allows organizations to set automatic expiration dates to ensure temporary accounts are deactivated, while restricting resource access to vendors who need them.

Request a trial demo now and discover the benefits of senhasegura for your company.

new RDStationForms('novo-2022-2-ebook-8-ways-to-protect-your-company-from-data-theft-duplicado-9ed5e33b5b06de484857', 'UA-31159921-3').createForm();
← Cybersecurity Health: What it is and how to comply with HIPAA What is ISO 27001 and how can it benefit your business? →

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...
Read More

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...
Read More

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...
Read More

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...
Read More

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...
Read More
Copyright 2023 senhasegura | All Rights Reserved | Powered by MT4 Group