Upcoming Webinar: Rethinking Email Security with Forrester April 20 at 9AM EST / 4PM CET

Third Party Access: Considerations and Security Risks

What is Third Party Access and Security?

Third-party security protects an organization from risks associated with third-party vendors. Businesses have traditionally invested time and money protecting their perimeter and on-premises systems with little focus on vendor security practices.

All companies use third-party vendors, and in many cases, these vendors gain authorized access to customer or employee data, or integrate third-party services into the organization’s systems. In addition, third party vendors have their own suppliers as well—and these may pose additional risks to the organization.

Many third-party vendors and contractors have small information security teams and cannot guarantee the same level of security as the customer organization. This makes third party vendors a target for attackers, who can use them as an easy way to penetrate highly protected networks. Securing third party access should be a top priority for almost every organization.

Why is Third-Party Access Security Important?

Remote Work

In the wake of the COVID-19 pandemic, many companies, including third parties, have implemented a work-from-home policy. These changes pose a number of important cybersecurity challenges.

One problem is a reduced ability to authenticate and authorize third-party vendors, because face-to-face operations are not possible. As a result, there is an increasing demand for multi-factor authentication, access control monitoring, and strong password generation. As work and sales activity transitions to email and the web, so does the risk of phishing and malware attacks. Additionally, third-party vendors may access corporate systems using personal devices which are not secure.

This risk can be exacerbated by supply chains. Small suppliers who lack the resources to implement the necessary security measures present an opportunity for cybercriminals, who can leverage their privileged access to enterprise systems.

Third-Party Data Breaches

According to Ponemon’s 2021 Cost of Data Breach Report, the average cost of a data breach in the US was $4.24 million, and third-party software vulnerabilities increased costs by $90,000. The true number may be higher, because third-party attacks are highly evasive and many of them may take months or years to discover.

According to another Ponemon report, 44% of organizations surveyed said they experienced a security breach, and of those, 74% said the breach occurred because they gave too many privileged access to a third party.

Cloud Storage Risks

More and more software is managed in the cloud, which can lead to even more catastrophic data breaches due to cloud configuration incidents. Several recent data breaches illustrated that sensitive data is commonly stored on unsecured servers hosted by third parties.

Organizations must be very careful about any data they store outside their direct control, including but not limited to the cloud. There is a growing need for cloud storage security solutions that can verify the security of the cloud, because it is impossible to avoid misconfigurations in a fast-moving, complex cloud environment.

Data Privacy Regulations

The GDPR (in the EU) and CCPA (in California) place unprecedented data privacy restrictions on businesses. Similar regulations have been enacted and enacted worldwide. These regulations have a significant impact on how organizations approach privacy and cybersecurity vendor management.

For example, GDPR requires organizations to verify that third parties protect the privacy of their data. The CCPA states that organizations must implement “reasonable” security measures for third parties. Such reasonable security measures include encrypting sensitive data and ensuring security controls exist on any device that holds sensitive data. This can include malware protection and allowlisting or blacklisting of applications.

Types of Third Party Risks

Third party access can create risks in a variety of ways. Following are the main types of third party risks, all of which can be manifested by insecure third party access:

Operational—risks can arise from the possibility of operational disruption due to third-party actions. If an organization’s critical systems depend on a supplier, any event affecting the supplier’s business is a direct risk.
Cybersecurity—third parties are today a preferred target for attackers. Attackers can break into the supply chain, silently infect systems and devices, and then use the third party as a “platform” to launch attacks against higher-value targets.
Compliance—risks can arise from the failure of a third party to put security controls in place, resulting in data loss. This can lead to data privacy breaches, liability and compliance penalties for large enterprises. Violations of environmental or labor laws by third parties may also present a compliance risk.
Financial—third parties can risk an organization’s finances, for example by introducing faulty materials or products into a process, impacting sales and revenue. Failure by suppliers to deliver on time and meet their contractual obligations can also result in financial losses.
Strategic—strategic risks can occur when third parties clash with the customer organization’s business strategy. For example, a supplier may use its privileged knowledge and access to compete with an organization’s business.

Best Practices for Third-Party Vendor Risk Management

Follow these best practices to manage third-party access and reduce risk.

Limit Access

Deploy a privileged access management solution to ensure only authorized users can access your organization’s sensitive data. Protect your critical assets using two-factor authentication (2FA). This approach makes it difficult for attackers to compromise your network even if they steal an individual’s credentials. Manual access approval and one-time passwords can also help prevent attackers from accessing your network.

Establish Security Policies for Vendors

Establish cybersecurity rules for your third-party vendors and any employees working with them. Create an internal policy that outlines the responsibilities of all parties and the standard actions for different cases and procedures. Familiarize your subcontractors and employees with these rules.

Enable Continuous User Activity Monitoring

Many laws, IT regulations, and standards require ongoing user activity monitoring. Monitor the activity of your third-party vendors within your network so you know who is accessing your critical assets, what they are doing with them, and when this activity is taking place.

Plan for Third-party Incident Response

Prepare to respond to an incident related to a subcontractor before it occurs. Analyze the breadth of cybersecurity risks and threats to choose those related to your organization. Then create formal procedures to mitigate such risks.

Ensure timely detection of cybersecurity events by using a dedicated solution. Use this solution to configure notifications and alerts for suspicious activity and events connected to your subcontractor’s activities.

Select responsible personnel who should get notified if a cybersecurity event related to third parties occurs. Add their names and contact details to your organization’s cybersecurity policy. Ensure they have the skills and knowledge necessary to contain and remediate a third-party data breach. Alternatively, you can opt to work with a solution that also provides managed Incident Response as a service, which will reduce your overhead.

Perception Point Advanced Browser Security

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.

Contact us to get a demo of our Advanced Browser Security solution, today.