It’s not your employee’s remote access. It’s not something that a compliance checklist can fix. Third-party remote access is a different beast. If you need proof, look at the Ponemon Institute report that surveyed over 600 people who work directly with managing remote third-party risk. Over half of those surveyed said their organization was breached via a third party that led to the misuse of confidential or sensitive information. And 74% said the hack happened because third parties were given too much access. It’s clear that third-party access presents the greatest risk to an organization’s security, and whatever best practices are being used to manage third-party risk hasn’t kept up with the sophistication of recent cyberattacks.
Third-party risk isn’t a new idea. People generally understand the risk that’s involved with engaging a third-party vendor. That’s why so many lines of business surround the idea of cyber risk and risk management. But the proposition of how to attack that problem is overwhelming to organizations and the people who run cybersecurity operations.
So what do they do? They stick to what they know – securing access for internal employees. There’s no doubt that the remote access landscape has changed drastically with the shift of employees transitioning to remote workforces. IT and InfoSec teams faced considerable and new challenges as they pivoted to supporting a remote employee workforce. This immediately prioritized secure employee connectivity and de-prioritized the security of third-party connectivity. As a result, organizations fell prey to a common misconception: Whatever remote access your employees use is fine for third parties. It’s not. Insider/employee threat isn’t the greatest threat to an organization, so figuring out secure employee access doesn’t solve all remote access security. And there are enough supporting numbers to show that third-party access needs to be treated differently than employee access.
Organizations will also try to handle third-party risk by believing two other misconceptions: that the reputation of a third party and contracts between an organization and a third party will protect your data (it won’t), and security and risk assessments are all that’s needed for risk management (it’s not). Risk assessments, checklists, and contracts are all great starting points for protecting third-party access, but they don’t secure anything. It’s great for passing audits. Audits are inevitable and will always happen, so having that information is important. But hacks are unpredictable. You can’t know when a breach is scheduled and plan your security strategy accordingly. Most times, they surprise you and cause more damage before you even know they happened. So proactively building a defense against breaches and layering in better security tools need to be the highest priority.
So if internal employee access systems don’t cut it, and checking boxes and conducting risk assessments aren’t good enough, how do you keep up with securing third-party remote access?
You need a platform built to manage third-party risk.
Process management by itself doesn’t work. Third-party remote access systems need to enforce policy and prevent human mistakes or oversights that could come from checklists and employee-conducted security assessments. It’s also just as critical that platforms implement least privileged access or a Zero Trust model for third parties and non-employees. This is the best way to restrict third-party access to only the applications needed and nothing else. There isn’t any reason this shouldn’t be a part of a third-party remote access platform. The only way to really control who is in your system is by limiting the amount of access a third party or non-employee has. And to limit risk even more, you need visibility into third-party network activity. Your third-party platform needs to know and track which users are in your network and what they are doing in your network. Without a platform automating network session monitoring, employees would spend hours of time monitoring network activity in real-time or watching recordings of logged sessions – a waste of time and resources.
The fact that over half of those interviewed have experienced a data breach isn’t surprising, but it is concerning. This report validates what we already know and see on the frontlines of third-party security at SecureLink. What we hope senior decision-makers and technology professionals will take away from this is that there’s a better way to protect your data and your customers. You need a platform to manage the riskiest part of third-party relationships – the connectivity into your network. Reputation, contracts, and checklists can’t protect you. Assessments can’t proactively defend against hackers. You need the right automation and technology to protect you. We hope this report opens your eyes to the reality of third-party remote access threats and convinces you to secure your greatest point of risk.