October 18, 2019//Tony Howlett
As threats to network security become more complex and varied with expanding perimeters, mobile and IoT devices, and evolving threats, enterprises are becoming astute in managing the protection of their precious data, monitoring their internal users and external traffic in more complex ways than ever.
Vendors are indispensable to the effective operations of your enterprise. Their technology and services bring invaluable assets to your end-users’ experience. But protecting your network while delivering safe, seamless, comprehensive service to your customers — from their first experience through their last —can be wrought with peril if you’re not diligently managing and monitoring the activity of your vendors.
Whether by accident or through malicious intent, 60% of U.S. and U.K companies have experienced a data breach caused by a vendor or third party, according to a report by Ponemon Institute. Impacts of these breaches range from data loss and financial penalties, to loss of customers and contracts, or in some cases, steep revenue decline or even business failure.
The risks are highest for those organizations that are most reliant on outside vendors. Ironically, it is those same organizations that have the most to lose; penalties for non-compliance in industries like healthcare and finance can be enterprise-ending, and today’s broadening GDPR requirements affect companies across all categories.
The Ponemon survey of 1,000 companies reveals that a single organization shares confidential and sensitive information with almost 600 third parties. Of those surveyed, however, just 34% keep a comprehensive inventory of those users. And that’s just inventory; if only 34% keep inventory, how many companies are actually managing risks posed by third-party vendors? Probably not a lot. So, before onboarding vendors, there are some aspects that are regularly overlooked that you want to make sure you address to manage the risks posed by using the services of third-party vendors.
Let’s face it, even organizations with the most robust data security systems can go through a data breach. In fact, 42% of respondents from a Ponemon Institute survey have experienced a data breach via third-party in the past year. Plus, some of the most newsworthy data breaches resulted from third-party vendor vulnerabilities (think Target, Equifax, and Tesla).
Bad actors and hackers are always looking to get into networks wherever they can with the most ease, and frequently that is through the access given to a vendor. To combat this, one important control to have in place is to limit the scope of a vendor’s access to systems and data so it has only what’s needed to perform its duties. Something we like to call least privileged access.
Not only do organizations need to be in compliance internally, but once the doors are open to vendors, they are also responsible to make sure that their vendors are abiding by necessary protocols (like GDPR, HIPAA, CJIS, and more). If a vendor isn’t in compliance, it can result in fines, penalties, and even revocation of license or charter. The only way to mitigate this risk is to implement an effective vendor management program.
Without the right vendor management program, there’s no way to know what your vendors are doing within your network and systems. Methods such as VPNs are fraught with issues ranging from underlying security flaws in the software to overly broad access and lack of auditability. These access methods, which are common within IT support organizations for internal use, likely would not comply with these requirements for vendors. Other methods, such as screen sharing, also falls short of full compliance due to the way they impersonate the user being assisted. Most of these laws require the ability to be able to trace third-party activity back to a specific technician. This can be difficult when using software and platforms that are not designed with this kind of auditing capability in mind.
Data breaches and compliance violations top the list of potential damages even well-meaning vendors can thrust on their enterprise customers. However, losses can mount further when you consider hidden costs. These can include increased insurance premiums, loss of customers, downgraded credit ratings and loss of productivity while “righting the ship”, and incalculable reputation damage. Although most enterprises do rely on vendors, it’s important to have the right solution that can monitor them and mitigate the risks.
You can’t manage risks that you don’t know you have. Download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.