Third-party risk and why it matters

“We had a large manufacturing company come to us looking to solve their third-party access problem after discovering a virus within their OT environment,” says Rob Palermo, VP of Product Management at SecureLink. “One of the first steps they took was to disable VPNs being used by third parties. They initially thought they had about a dozen third-party vendors, but as they began bringing vendor access back online, they discovered that they had over 200 vendors with access. They had no visibility or idea as to how many third parties accessed their network, and many of these third parties had more access than they needed.” Unfortunately, this story is just one of many for organizations that work with multiple third parties. In fact, a surprising number of organizations do not know how many third parties have access into their private networks and don’t have an inventory of all the third parties with permissions to access their environment. If not monitored or tracked, third-party remote access can expose networks to cyberthreats and allow entry to bad actors who can wreak havoc on an organization's internal systems. Let’s think of your network like your house. There are some trusted people in your life that you share the keys to your house with over time. When you first move in, you give an extra set of keys to your parents in case you’re not home and they need something in a pinch. Over the next few years, you form relationships with your neighbors and give them a set of keys in case they need to access your house to help watch your pets, water the plants, or keep an eye on things while you’re away. Look ahead to a few years from that and your neighbors move to another neighborhood, but your sister and brother-in-law move into town so you give them a set of keys. And there’s that one time you went on vacation and needed your friend from work to check on the house, so you gave him a key for that week. Over time, several people have keys to your home and, at any time, can unlock your door and enter your home unannounced with unknown intentions. Your neighbors who have moved still have your keys even though they’re miles away, and your coworker who was helping for that one week and no longer needs a key still has access. This is extremely similar to the way third-party remote access works. At first, organizations grant access to several third parties to outsource critical functions that can’t be performed in-house. It makes sense. The connection fits. However, over time, changes happen: organizations might lose track of which third parties have access, changes within the third party occur (like new hires added) which makes it difficult to know who has access, and as time goes on, it’s easy for third parties to end up with way more access than they need.  You wouldn’t want your coworker or former neighbor coming into your home and poking around where they shouldn’t be. This is your house and you trusted these people with access to your home for a very specific reason. The same goes for remote access. You, the organization, gave access to a third party for a very specific reason. You don’t want them snooping around in your network where they shouldn’t be.  Now, let’s say your coworker who has your key accidentally leaves it on his desk one day, or your former neighbor drops the key while shuffling around her purse looking for her car keys. A stranger could find it, find out whose house it belongs to, and, with malicious intent, intrude your home and cause chaos. Or, even worse, let’s say a burglar has targeted your house because they like your TV, your furniture, and your car. With a key to your home, they can access all of this and take it for their own. They’ve also been keeping an eye on your home, your behavior such as when you leave for work and when you go on vacation, and who’s been accessing your home with their own set of keys - i.e. your family, neighbors, and coworker. They follow these people around - very nonchalantly and innocently, like a fellow grocery store shopper or passerby - until they have an opportunity to steal a key. Once they have a key, they have access to everything in your home and can cause more damage and cost you so much more than making a copy of a key.  This scenario is scary, and it’s just as scary for organizations who don’t know which third parties have access into their networks. There are bad actors whose goal is to infiltrate networks to access private and proprietary information and use it maliciously against the company to either cause reputational damage or gain a large ransom payout. When organizations give access to third parties, they are widening their attack surface because any remote connection is a highway into a network for a hacker. And while we like to give the benefit of the doubt and think that all remote access, VPN connections, and desktop sharing sessions are secure, this just isn’t the case. The “it won’t happen to me” mentality is exactly what causes the unpreparedness that leads to data breaches and costly clean-up. What can you do to mitigate third-party risk? Remote access for third parties is essential for many businesses to operate. It’s rare for an organization not to use third parties for business functions. So, since getting rid of third parties is out of the question, how can you adequately monitor and minimize the risk that comes with granting remote access to third parties?

Third-party risk management

It’s time to implement a third-party risk management (TPRM) program. As the name implies, a TPRM program is built to manage the risk that comes from third parties and stop any suspicious and malicious activity before it makes its way into your network. Hackers are smart - firewalls and tricky passwords are no longer a challenge for bad actors with advanced technological skills and a good motive. A TPRM program builds a thicker defense system against attackers and reduces the risk of network intrusion. Here are some ways to start implementing a TPRM program:

  • Assess third-party vendor risk on a regular basis. When you evaluate the risk level of each vendor, you can adequately prepare for the threats that come with it. This should also be done before onboarding each new third party and/or granting any third-party remote access. 
  • Use credential vaulting wherever necessary. Giving third parties passwords is always a risk. Who’s to say the third-party employee won’t write it down on a sticky note or give it to another employee who lost their login? Credential vaulting is an effective, safe, and efficient solution to connect a third party into your network. 
  • Implement more granular controls and permissions via least privileged access. Third parties should only have access to what they need to do their job and nothing more. Rather than granting access to the entire system, restrict permissions to only the application or system needed so a third party can get in and out of your environment without poking around other areas of the network. 

Third parties are important. They make it possible for many organizations to function and operate efficiently on a daily basis. They solve problems when organizations are in a bind and offer solutions that are outside an organization’s wheelhouse. Third parties are good. The risk associated with them is bad. A third party’s level of service shouldn’t be hindered by the risk it brings to a network. Start by taking a look at your third parties, identifying who those third parties are, assessing the risk associated with each one, and streamlining remote access security with a TPRM program. Taking these first steps will only lead to more productivity from your vendors who only have access to their specific function, less stress about costly data breaches, reputation, and financial implications for organizational leadership teams, and company-wide peace of mind. This article was first published on Cybersecurity Dive.