The extent of the use of third parties to carry out activities in companies today is really surprising. Companies are increasingly looking to outsource internal functions and operations and external services. According to the study, a quarter of companies said they use more than 100 third-party vendors, mostly requiring access to internal assets, data, and business applications to operate effectively and fulfill their contracts.
The study also found that 90% of respondents allow third parties to access not only internal resources but critical internal resources as well. This should be an immediate cause for attention for any CISO. Companies that rely on third-party vendors may have implemented excellent cybersecurity measures, but it all means nothing when the vendor’s access controls are insecure.
For many organizations, securing access from third-party providers is incredibly complex – often requiring solutions like multi-factor authentication, VPN support, corporate laptops shipped to companies, directory services, agents, and more.
Not only does this create confusion and overhead for security professionals, it also creates tangled and often unsafe routes for third parties to access the systems they need to do their jobs. Continue reading the article and learn how third-party abuse is a major cybersecurity risk for businesses.
Third-party-related attacks are on the rise
Third parties may not take network security as seriously as you would like. Knowing this, cybercriminals can choose not to attack your business directly. Instead, they may look for an easier target among their third-party vendors.
A compromised subcontractor can easily be turned into an entry point for cybercriminals. This is how a supply chain attack works.
Meanwhile, the number of third-party organizations they work with, as well as the amount of sensitive data disclosed to them, increases every year. The same goes for data breaches caused by third parties.
Here are just a few examples of cybersecurity incidents involving third parties:
Magecart Attacks
Since 2015, a group of cyber criminals called Magecart has carried out several attacks on major retailers across the world.
The group is believed to be responsible for the recent attacks on Ticketmaster, British Airways, Newegg, Feedify, and Magento stores. Magecart hackers often infect third-party web services used by their victims to steal valuable information, particularly credit card data.
Atrium Health Data Breach
In 2018, Atrium Health suffered a data breach that resulted in the personal information of over 2.65 million patients being exposed. The breach was caused by a compromise of servers used by one of Atrium Health’s billing providers.
Amazon Data Leak
In 2020, Amazon, eBay, Shopify, and PayPal fell victim to a massive data breach. A third-party database of approximately eight million UK online shopping transactions has been published online.
Notably, this is not the first time that Amazon has suffered from third-party incidents. In 2017, attackers broke into various third-party vendors working with Amazon and used their credentials to perform malicious actions in the environment.
General Electric (GE) Data Breach
In 2020, GE reported a data breach caused by one of its service providers. A compromised email account led to the public exposure of personally identifiable information from current and former GE beneficiaries and employees.
Depending on the nature of the outsourced supplier’s commitment, an organization may face different risks. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.
What are the risks involving third-party access?
The financial and technical capabilities of small service providers and subcontractors do not always match the capabilities of their customers. So, while looking to succeed in their efforts, cybercriminals can start small and look for an easy target in their supply chain.
A compromised third-party vendor can lead to several risks that can be broken down into four main categories:
- Cybersecurity Risks: Subcontractors often have legitimate access to different environments, systems, and data of their customers. Attackers can use a third-party vendor as an entry point to try to get your valuable assets.
- Operational Risks: Cybercriminals can target your internal systems and the services you use instead of just your data. This can lead to partial interruptions of your operations or even stop them completely.
- Compliance Risks: International, local, and industry-specific standards and regulations define strict cybersecurity criteria that organizations must meet. In addition, third parties working with these organizations must also comply with these requirements. Non-compliance often leads to substantial fines and reputational damage.
- Reputation Risks: Having your valuable data and systems compromised serves as a red flag for your partners and customers, current and future. Regaining your confidence will take a lot of time and effort. Unfortunately, there is no guarantee that you will be able to successfully restore your reputation after a serious cybersecurity incident.
The reason many organizations struggle so hard to secure their work with third parties is a lack of two things: visibility and control. Companies are often unaware of what their third-party vendors do with their critical data and systems.
What are the specific threats involving third-party access?
To make your cooperation with subcontractors more secure, you need to understand what threats they may pose to your company’s cybersecurity.
Let’s focus on four common types of threats:
- Misuse of Privileges: Third-party vendors may violate the access privileges you grant them in a variety of ways and for a variety of reasons. Your subcontractor’s employees may voluntarily pass their credentials on to others. Or, if access permissions on your network aren’t configured correctly, a third-party vendor could gain access to data that shouldn’t be shared with them.
- Human Errors: Inadvertent errors by your subcontractor’s employees can cause as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, entering incorrect data, and misconfiguring systems and solutions. While unintentional, these errors can still lead to data leaks, service interruptions, and significant revenue losses.
- Data Theft: In addition to unintentional data damage, there is a high risk of data theft directed by third parties. Without a proper third-party vendor management policy, there is a risk that third-party employees will steal valuable business information and use it to their advantage.
- Third-party risks from your third parties: Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices is not enough. You also need to understand how they manage their supply chains.
Fortunately, you can effectively manage all of these risks and threats by following a set of risk management best practices from third-party vendors that will significantly improve your company’s cybersecurity resilience.
What are the technical controls to mitigate third-party access?
Ensuring a high level of access control is especially important if your third parties have access to your company’s privileged accounts, critical assets, and confidential information.
The organization has visibility into the reasons and metrics, allowing it to better manage risk. Technical controls can be implemented to help manage risk.
Technical controls include:
Multi-factor authentication (MFA)
When accessing systems, there is no reason not to use MFA. It is vital as it is a difficult obstacle for attackers to overcome. This should be used as a first line of defense and mandatory third-party access control.
Centralized Access Management
Centrally managing access helps with technical and administrative actions that need to be performed. If access can be seen and controlled centrally, it is easier to manage.
In the absence of a central system, the organization should consider its implementation for simplified management. Simple and safe often go hand in hand.
Centralized Access Gateway
A gateway used by a third party to access systems is useful. This helps with access management as it provides a central point of focus. It is equivalent to a castle gate where guards are stationed.
That’s not to say that with control in place, other areas don’t need to be monitored, however, having this central access point creates a security focal point.
Virtual Private Networks (VPN)
Ensuring that access to systems is secure from a network perspective is also essential. Using VPN or SSL/TLS level security for the central point is a safer way than not having this protection.
Third parties do not always have the equivalent or better level of security that an organization can have, and securing access through encrypted networks increases security.
It is not the only control required, a combination of controls must be implemented to effectively mitigate the risk. Some organizations tend to opt for one control or the other.
Recorded Access
Written access is a great control to implement in your environment. It protects both the organization and the third party. If the organization has a record of what happened, it can trace the steps and reverse the issue or at least resolve it.
Also, with recorded access, there should be no doubt about what happened. It’s all recorded in the digital record. At first, some people may reject the idea, but once used, the value of control is quickly demonstrated – it becomes a powerful tool.
The above technical controls are only effective if actually used, and used correctly. Without the resources to implement, operate, monitor, and manage the defenses, their benefits will not be realized.
If an organization presents an easy target, the likelihood of a breach increases. Therefore, it is vital to ensure that the controls in place are adequate to guide the organization’s staff and trusted third parties at the level necessary for them to operate in a manner that limits risk.
A powerful PAM solution can help
For today’s organizations, outsourcing has become a vital part of running an efficient and innovative business. As companies add new suppliers at an unprecedented rate, it is more important than ever to minimize the risks that third parties add to the business environment.
With a comprehensive third-party risk management strategy, companies can leverage the expertise and cost savings that third parties provide, while protecting themselves from the wide range of risks this modern work environment presents.
As you consider your third-party risk management strategy, a strong privileged access management (PAM) solution can help protect and control third-party access to your critical assets.
senhasegura integrates with leading systems and applications to automate workflows throughout the user lifecycle, enforce policy-based controls, and detect anomalies and unauthorized access attempts.
PAM also allows organizations to set automatic expiration dates to ensure temporary accounts are deactivated while restricting resource access to vendors who need them.