July 20, 2020//Nate MorisonLast Updated: October 28, 2020
I make fifty phone calls and send another couple hundred emails to enterprise IT professionals across the country each and every day. Some network administrators may call me a bother, others slam down the receiver when they hear “it’s Nate with SecureLink offering a security solution.” But, when I click “call” on that IT Director’s phone number, I feel like I’m on a crusade to address an obvious problem.
Nearly two out of every three recent data breaches were attributable to a third-party vendor, and just about every single one was entirely preventable. And yet, the Ponemon Institute reports that only 16% of companies are effectively managing the risks associated with external vendors accessing internal resources.
What this problem means is that the same companies that hang up on me have recently spent about $2.6B in the past year to remediate avoidable disaster: data breaches that contain information like your credit card number, my home address, grandma’s health records, and your children’s social security numbers. If the American public was instead responsible for cleaning up the mess made by laissez-faire third-party security practices, each adult in the US, all 210 million of us, would have to pay $12.43 in restitution for a breach of privacy that we had nothing to do with.
And thus my crusade is not against the policies that lead to these data breaches, but rather for those who are affected by them.
Think of the problem this way: You are the building manager of a 200-unit urban apartment building in my home of downtown Austin, Texas. A resident in Unit 118 gives you a call and says that their water is no longer working. Not the toilets, sink, or dishwasher.
In a modern healthcare IT environment, the analogous reality goes something like this: one mission-critical healthcare records application goes down. Nurses and doctors can’t log in, and the entire hospital’s business is on pause. Then, a phone rings on the IT helpdesk.
Okay, now back to the apartment building.
Since you are a building manager, not a plumber, you call the plumbing contractor that you trust – the folks you’ve been working with for years. And since you trust all your contractors – the electricians, cleaning crews, and that plumber – you provide each with a master key that can unlock any unit in the building. This, of course, is much easier than a manual key tracking process while having to remember the whereabouts of each physical key. It’s how you’ve been managing the way contractors access your building for years. After all, what reason would the plumber have to access Unit 118 (or any other unit) if there’s no plumbing issue?
Let’s pause this analogy here and ask if you think this practice is a responsible one. More importantly, is it fair to the residents’ privacy? While the plumber is entirely trustworthy (to your knowledge, at least), why take the risk of a master key ending up in the wrong hands?
Again, my crusade is not against the policy, but for those affected.
Back at the hospital, our help desk hero answers the ringing phone. It turns out that a recent update to the application caused it to go berserk, and he gets in touch with the solution’s provider, BlueSoft.
BlueSoft’s technicians quickly connect to the hospital’s network utilizing a VPN. The technicians use a generic login credential (the master key) that was assigned to BlueSoft, and in they go to connect to their application. Sound familiar?
So what difference does the right vendor management tool make?
Imagine instead that when that plumber needs access to Unit 118 to fix a valve, he goes to a lockbox outside the building and enters his own code, and out pops a digital key card for Unit 118, and only Unit 118 – not the entire building. There’s a video recording of all the work performed, and if the plumber fails to return the key after he’s done, the key expires and becomes useless.
If you’re a resident at this downtown Austin apartment building, which access management policy would you like to have in place? One that respects your right to privacy, or one that relies largely on trust?
This is what the best vendor management software can mean for our hospitals. The status quo of trust is replaced with a model of automated accountability. As customers, patients, and clients of these enterprises we’ve got skin in the game too.
The help-desk phone rings again. It’s me, calling with SecureLink, on my crusade to solve the preventable. Answering the phone could mean the difference between our records ending up on the dark web, and enforcing accountability for unknown third-parties. If talking on the phone isn’t your ideal situation, we have some great content that helps further prove the issues with the status quo. Check out our new vulnerable vendor checklist that helps highlight how you can spot a vulnerable vendor (or plumber) on your network (or in your apartment complex).