Third-party access: the forgotten security risk

Third-party access: the forgotten security risk
(Image credit: Image Credit: Geralt / Pixabay)

Nearly every organisation today relies on a variety of remote third-party vendors to access, maintain, and support critical internal systems and resources. These vendors have come to play a critical role in maintaining modern organisations’ complex and distributed IT infrastructures. However, third-party access does not come without accompanying risk. Whilst organisations may have extensive security measures in place to guard from attacks targeting internal accounts, the security of third-party vendors with access to internal systems is a well-overlooked issue.

About the author

David Higgins, EMEA Technical Director at CyberArk.

Third-party access use is worrying because recent data breaches have shown that it is a common factor in successful cyber-attacks. In January, co-working provider Regus suffered a highly-sensitive breach in which employee performance details ended up being published online. The breach was a direct result of third-party access insecurities and occurred because Regus commissioned a third party to assess staff performance using secretive filming. The results were then accidentally leaked through a task management website. 

The threats brought about by third-party access are clear and are rising as the level of third-party use is significantly more extensive than might be expected. Despite this, it is still not being given a priority, even though it is high up on the list of likely targets for cyber-attackers. Third Party Privileged Access Permeates Business Today

Third-party use is growing

The extent of third-party use today is truly astounding. Businesses are looking more and more to outsource internal functions and operations and external services. According to our recent study, a quarter of businesses claimed they use over 100 third-party vendors, mostly requiring access to internal assets, data, and business apps in order to operate effectively and fulfill their contracts. 

Our study also found that 90% of respondents allow third parties to access not only internal resources but critical internal resources. That should be an immediate cause for attention for any CISO. When a third-party has access to critical data, the team in question immediately becomes only as fast as its slowest man. In other words, businesses relying on external vendors might have implemented excellent cybersecurity measures themselves, but this all means nothing when the vendor’s access controls are insecure. 

For many organisations, securing third-party vendor access is incredibly complex – often requiring a cobbled together solution of products like multi-factor authentication, VPN support, corporate shipped business laptops, directory services, agents, and more. This has not only led to confusion and overload for security practitioners, but also creates tangled and often insecure routes for third parties to access the systems they need to do their jobs.

Third-party access is a priority to de-risk

Despite such extensive use of third parties – and nearly all requiring access to critical internal assets – businesses are still not implementing appropriate security measures. A whopping 89% of businesses felt that they could do better or were entirely unhappy with their efforts to secure third-party vendor access, according to our research. Despite this, third party access regularly featured as one of their top 10 organisation-wide security risks, alongside others like cloud abuse – when cybercriminals exploit vulnerabilities in cloud computing environments, phishing, and insider threats. 

Securing third-party access, then, is becoming a top priority for organisations, and with good reason. These attacks and resulting data breaches can be incredibly costly, both in terms of reputation and financial losses. Despite this, the same businesses are overwhelmingly dissatisfied with how they currently approach managing and securing access for these remote vendors.

Getting cybersecurity access right

If third party access is a top 10 risk, why are so many failing to secure it?

Provisioning and deprovisioning access can feel a lot like Goldilocks and the Three Bears. You can’t allow too much access, where vendors have access to things they don’t need or for longer than they’re needed, or too little, where vendors are forced to create unsafe backdoor routes to critical resources. The level of access has to be just right. Provisioning and deprovisioning access are often cited as the biggest roadblocks to achieving this, with a lack of visibility also a repeated problem.

Legacy solutions currently dominate. Most modern organisations rely on VPNs to secure third-party access, but these were not designed to manage the dynamic privileged access that is a feature of modern requirements, like role-based access protection and session recording. Companies also don’t have a holistic view of what third-party vendors are doing once they authenticate, and that is a serious problem. Best practice is to record, log, and monitor privileged network activities, a common requirement for audit and compliance.

As organisations depend more and more on third parties to get the work done, the security difficulties they face become harder and harder to ignore. Without a dedicated solution for managing third-party privileged access, organisations have been forced to use miscast solutions like VPNs.

Third party access remedies

There are a couple of clear remedies for this problem. The first answer is to swiftly set up secure, structured, and multi-leveled privileged access controls. By introducing a process governing the types of data and assets that can be accessed by third parties and running it on a case-by-case basis, businesses can take a big step towards building a more effective defense against third-party vulnerabilities.

Alternatively, ‘all-in-one’ SaaS-based subscriptions to security are also now available. These novel solutions provide a combined approach by integrating standard security tools and services, including privileged identity management, resulting in an easy-to-implement solution to securing third-party access. As a result, where securing one of the businesses’ top security risks was once complex, organisations can now access all the tools they need through a single package, which creates a much more digestible approach for businesses who don’t want to deal with the complexity of a tangled web of security measures.

Securing third-party access is clearly an issue that needs to be addressed, and quickly too. Incidents like the controversial Regus data breach show us how costly these vulnerabilities can be when left untended. Although the culprits are sometimes caught in the end, both the human and business costs remain. When contemporary SaaS offerings provide all the tools necessary to secure an organisation’s external accounts, there is no excuse for third-party access not to be secure and for businesses to function freely.

David Higgins
EMEA Technical Director

David Higgins, Senior Director, Field Technology Office at CyberArk.