Vulnerable vendors make you vulnerable

Managing third-party vendors is a fact of life for many organizations, and one factor that is important to consider (yet often overlooked) is whether one or more of your vendors may be vulnerable to outside intrusion in any way. This factor is crucial to know, because when vulnerable vendors have remote access to your network, then you become vulnerable as well. Potential vulnerabilities include insecure infrastructure within a vendor company, or vendors sharing passwords internally. Workers may have heard it a million times - sharing login or password credentials is never a good idea - but despite high awareness of the risks posed by sharing credentials, it still happens with alarming frequency, and vendors are no exception.

Why it’s vital to avoid vendor vulnerability

Vendor vulnerability scenarios may result in little or no harm if you’re lucky. However, they can also lead to damaging situations, such as data breaches or loss of compliance status.

Risk of a data breach

It seems to be in the news every week, if not daily: major companies are suffering data breaches. But even if your company is relatively small compared to such large organizations, it can happen to you, especially if you employ one or more vendor who is vulnerable to attack in various ways. The logic is simple: if your vendors are vulnerable, and a hacker exploits one of these weak points in your security network, that bad actor can potentially access your resources, destroy critical information, lock company data, demand money, ruin your reputation, or all of the above. This was illustrated tragically in the record setting Target breach who had 40 million customers credit cards exposed in an exploit of their heating and cooling system vendor. And many vendor-caused breaches have happened since, affecting companies large and small.

Compliance risks

Vendor vulnerabilities can also threaten compliance with regulations. One example is the Criminal Justice Information Services (CJIS) standard that many small governments and law enforcement agencies have to comply with. Always remember this fact: your compliance depends heavily on the security policies and procedures of your vendors. If any of your vendors are not fully compliant, then neither are you.

Types of vendor vulnerability

Now that we have discussed the risks of data breaches, system hacks, and falling out of compliance that come with vendor vulnerabilities, let’s look at the ways in which vulnerabilities can occur.

Insecure infrastructure

Do you know what infrastructure your vendors have? Do they use cloud providers or third-party data centers for parts of it? How do you know that your vendors are keeping their infrastructure security up to date? These questions must be addressed by any organization using third-party vendors because new security threats are being developed all the time. Your organization may be on top of this regular updates, applying security patches, and upgrading to newer, better systems and infrastructure when needed— but what about your vendors? Are your vendors as diligent as your internal security team? The hard truth is that many companies, whether they know it or not, may have insecure infrastructure, which isn't capable of warding off today’s advanced cyber threats. Due diligence in the form of vendor risk assessments and questionnaires are critical to gaining this understanding. Then there’s the Internet of Things (IoT) and other new technologies, which can pose additional vulnerabilities. With each new integration of the latest tech development comes new potential pressure on some vendors’ infrastructure. While we’d like to assume otherwise, it’s likely that the core infrastructure of some vendors may not be the latest and greatest and might not be designed to identify or eliminate all of today’s security threats. If this is the case, and one or more of your vendors has insecure infrastructure, your network is vulnerable to threats. Even one insecurity is one too many since your network is only as secure as its weakest link.

Vendors targeted in multi-stage cyberattacks

In 2018, a US government alert described ongoing Russian cyber activity that has targeted "trusted third-party suppliers with less secure networks." These third parties, referred to as "staging targets", were intended to serve as a gateway to the Russians' final victims. The Department of Homeland Security, as well as the FBI, found that malicious actors were "leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA)" to exploit the infrastructure of staging targets to gain access to several final targets.

VPNs: V for vulnerable

Note that “VPN” (Virtual Private Network) is mentioned in the Russian alert. Perhaps the “V” should stand for vulnerability, because VPNs have been exploited not only during this Russian cyberattack but by other malicious actors as well, like in a number of well-documented data breaches at major companies. VPNs may also put you at risk when it comes to audits and compliance. For example, the increased sophistication, frequency, and cost of cyberattacks during the past few years have led to increased compliance standards across the board, especially when it comes to monitoring and logging third party access. Yet remote access tools like VPNs and desktop sharing often fail to meet the standards and produce the records that are now required to pass a compliance audit.

Lack of granular control over vendor access

Some solutions for remote vendor access feature “all or none” access: either a vendor gets access to an organization’s entire network or no access at all. Since software vendors must have network access in order to do their jobs, organizations are often willing to give them an open door to their resources, in order to gain the benefits each vendor provides. However, this practice exposes that organization to greater risk. If remote access software lacks the ability to control access in a more granular fashion (restricting access to only those resources a vendor needs), then each vendor with all-or-nothing access makes your network more vulnerable to an attack.

The takeaway: know your vendors inside and out

To protect you, your network, and your reputation, you need to monitor and keep in close communication with each vendor you employ to make sure they are following this same path of being proactive about their protection. In today’s world of ongoing cyber threats, it is simply too risky to assume that all vendors are doing everything they can to maintain compliance and best practices when it comes to security.