Third Party Security Risk Management Best Practices
In 2016, the average enterprise had to manage access for 89 vendors. The number climbed to 181 vendors in 2017 and has continued to increase as more industries switch to cloud-based software and services. With this expansion comes an increased breach risk, which requires enterprises to go beyond the borders of their internal networks to address third party access risks and implement strict security procedures for external users.
The Rise and Risk of Third-Party Access
Eighty-one percent of IT professionals reported seeing an increase in third-party enterprise network access between 2015 and 2017, but only 34% of companies keep detailed inventories of the vendors with access to their networks. This low level of visibility may stem from a combination of poor third-party risk management and an unnaturally high level of trust. Two-thirds of enterprise IT professionals admit to trusting vendors more than they should, and just 35% would rate their third-party risk management strategies as “highly effective.”
Assuming vendor access is safe on the basis of familiarity with or the reputation of a vendor can be a mistake with far-reaching consequences. Fifty-eight percent of organizations reported breaches related to vendor access in 2019, pointing to a need for stronger access management policies. While an otherwise trustworthy vendor is unlikely to perform malicious actions while logged into an enterprise system, vulnerabilities in the same vendor’s network or software or human errors can act as a gateway for hackers. If the vendor’s system is breached, hackers could potentially use accounts to access all enterprises to which the vendor connects.
Managing and Mitigating Vendor Risk
Since 63% of businesses lack the resources for appropriate management of vendor relationships, inherited vulnerabilities remain an ongoing challenge. Risk reduction hinges on awareness and visibility. Enterprises need to know who has access to their networks, as well as when and how connections are being made.
Those with existing third-party relationships must take inventory of all vendors and review third-party security policies. This should include assessments of how data is stored and secured, as well as careful evaluation of breach prevention strategies. Following the same procedure before allowing access for new vendors can prevent inherited vulnerabilities from becoming breach risks.
Limitations on vendor access, including which devices may be used, provide additional security. Third parties should only be able to access the information they need to perform essential services, and all devices used should be approved in advance by the enterprise with ownership of the network. Because some vendors may pose higher risks than others, a rules-based risk assessment can be useful in determining the amount of oversight required to minimize the possibility of a breach.
Viewing vendors as users brings them under the umbrella of internal security policies, including onboarding and offboarding procedures. Each vendor should be subject to consistent monitoring for unusual behavior patterns during network sessions and denied access should any red flags arise. In the event a vulnerability is discovered on the vendor’s end, it’s up to the enterprise to point it out and request a fix. If a vendor refuses to correct the problem or chooses to remain ignorant of the potential consequences, it may be necessary to revoke all access or find another provider.
Proper governance ensures such third-party access rules are enforced. Enterprises with strong governance models are better able to evaluate, track, approve and monitor third parties and respond to risks in real time than the 44% of companies taking an “all or nothing” approach to vendor access.
Establishing Third-Party Security Guidelines
When enterprises assume external access poses less of a risk because vendors have their own security policies, they lack the knowledge and foresight required to maintain secure networks. Rather than relying on questionable or inadequate vendor security, enterprise IT professionals must take the initiative and create solid policies to govern vendor access.
Polices should include the following:
- Vendor and third party access approval
- Level of access allowed based on vendor needs
- How access is managed and controlled
- Policy review criteria for vendor access management including management of privileged accounts
- Provision for continual risk evaluation
- Routine review of vendors’ security policies and practices
Consistent enforcement of access guidelines is necessary to protect against third-party vulnerabilities and preserve the integrity of enterprise networks. Compiling policies into a document provides a straightforward checklist for new vendor evaluation and existing vendor monitoring, which is essential in a digital environment where new threats continue to emerge.
The complex interconnectivity between enterprises and vendors requires diligence and discernment on the part of IT professionals. Because enterprises can’t operate efficiently without support from third parties, it’s essential to establish clear policies and enforce access limitations while continually monitoring network activity. Making vendor boundaries a security priority ensures safer access for all network users and protects enterprises from hackers seeking to exploit third-party vulnerabilities.