Avoiding Third-Party Access Pitfalls That Cause Security Risks

Here are several common third-party access mistakes organizations should avoid and alternative practices they should implement to shore up IT security.

Vendors need access to critical systems in the normal course of business, but that doesn’t mean they need access to all of the information in the systems. In a health care setting, for instance, a vendor may need to access an electronic health records system to provide important software updates, but they don’t need to access individual health records. The same can be said for financial and operational systems that house vital and valuable insider information. Trusting that vendors and contractors don’t have either curious or malicious insiders is a pitfall that has resulted in data breaches time and time again.

Monitor and chaperone vendor actions in real time or review recordings after the fact to help with root-cause analysis or verification that the job is done right. Recording and monitoring all privileged access activity provides transparency and visibility, and becomes useful in an IT security audit following a compromise. The inability to trace backward by reviewing remote access sessions and log-ins from users can be crippling to an organization that needs to close security gaps or meet compliance regulations. Technology that captures and records this information is essential when acknowledging that public- and private-sector businesses are consistently being probed for weaknesses.

Organizations often make the mistake of believing their vendors and other third parties operate in a vacuum and may fail to take the steps to ascertain their security risks. The often weak security practices of vendors make these third parties a prime target for hackers. Taking advantage of vendor access to organizations’ networks, hackers can get in, plant malware, snoop around in critical business systems and wreak havoc.

Audit and log all vendor actions. This is important not just for compliance but also to provide intel on their activities to other security or behavioral analysis systems for dashboarding and correlation against other events for a holistic security view. Spotting suspicious activity—such as access to unusual systems or during odd hours—early on will help limit the reach and potential damage of a data breach.

Offering carte blanche access to your network is a recipe for a substantial data breach. Many employees, vendors or other privileged users may only need access to limited, or very specific, systems, while some privileged users, such as IT administrators, require broader access. Implementing granular access controls can prevent hackers from infiltrating your system via a vendor and causing substantial damage. The inability to limit permissions for vendors and other third parties is one of the reasons the average length of time to detect a data breach has reached 243 days.

Limit the time third parties have access to the systems that require work. Kick them out of systems when that time limit is up. Let them ask for more time if needed. If a system is compromised, any malicious activity would be stopped once the user’s session comes to an end.

We’ve all heard (and probably acted on) the adage, “It’s easier to ask forgiveness than it is to get permission.” Vendors and other third parties are no different. Without maintaining tighter controls over who is accessing what and when in the network, organizations open themselves up to data breaches. Allowing vendors to connect to much more of the network than needed without explicit permission also opens the doors for hackers to access those same systems.

Make vendors ask for permission by ensuring that dual controls and approval workflows exist in order to protect critical systems. Why do they need access? Make them tell you in an ad hoc manner. Then you decide if you want to grant it before they get in. Adding alerts for ad hoc access requests also allows users to address urgent issues without sacrificing security.