There’s a dark side to outsourcing business services.
Beyond the advantages of cost efficiency and flexibility, outsourcing comes with inherent security risks. Investing heavily in securing your in-house network isn’t enough. One misstep when working with a third-party service provider can give attackers direct access to your most sensitive data regardless of your perimeter defenses.
According to a 2018 Ponemon Institute study, 59% of companies have experienced a third-party data breach. And in light of this fact, 51% of CISOs now see the failure to control third-party data usage as a major security concern.
When collaborating with third-party service providers, you need a way to maintain control of your sensitive data. With proper endpoint security, you can control access and mitigate the risks of a third-party breach.
Learning from major third-party data breaches
In 2013, in one of the largest data breaches of all time, retail giant Target’s systems were compromised as a result of credentials stolen from a third-party HVAC vendor.
The stolen credentials gave attackers access to the HVAC vendor’s billing, contract submission, and project management platform. This level of access helped attackers compromise the HVAC vendor’s VPN credentials for Target’s network. And, as a result, the attackers were able to remotely access Target’s network and deploy malware that infected tens of thousands of point-of-sale devices to steal customer credit card information.
In 2017, Target reported that the breach cost the company $202 million. And looking back, research shows that this was a preventable attack.
Krebs on Security wrote that a Verizon assessment conducted between December 21, 2013, to March 1, 2014, notably found no controls limiting [third-party] access to any system, including devices within stores such as point of sale (POS) registers and servers. Had the right access controls been in place, we might not be talking about the 2013 Target data breach today.
In the wake of massive data breaches, it’s easy to fall into the it’ll never happen to me mindset. While few attacks approach the size of the 2013 Target incident, Ponemon’s 2018 Third-Party Data Risk study shows the percentage of companies facing third-party data breaches has only risen over the past few years. Third-party data breaches cost SMBs an average of $120,000 per incident in 2018–up 36% from 2017–while enterprises forked out an average $1.23 million per breach–a 25% increase from the previous year.
Among the victims of a major third-party data breach in 2018 was the Universal Music Group (UMG). In June of that year, the global music corporation was working with a contractor to move its IT infrastructure to the cloud. While managing UMG’s IT infrastructure, the third-party contractor forgot to add a password to one Apache Airflow server, a slip up that had dire consequences. Because Apache Airflow doesn’t use authentication by default, UMG’s cloud data storage and FTP credentials were left completely exposed to the public internet.
Until companies change their approach to third-party risk management, attacks like these will continue. To mitigate these risks, you need an endpoint security strategy that covers more than just your internal network.
Remote access control ‘your key to avoiding third-party breaches
From the moment you give third-party vendors access to your data, your network’s safety becomes dependent on the strength of their security. Even a simple vulnerability like password mismanagement can give attackers the foothold they need to launch a multi-million-dollar data breach against your company.
Addressing third-party risk requires a holistic security strategy–one that covers both your internal network and coordinates with the third-parties you rely on.
Simply deploying anti-malware and hoping for the best isn’t enough. Adopting a zero-trust model that requires every user and every device to be verified is a good first step. Embracing the zero-trust mindset means putting strict access controls in place to ensure third parties can’t put your data at risk.
Remote access solutions can help you balance the benefits of outsourcing with your zero-trust security model. Implementing access controls that limit third-party data breaches requires:
-
The right remote access solution: Not all remote access solutions are created equal. You want something that goes beyond loading VPN connectivity to endpoints. It’s essential that your solution gives you central control over third-party access to your company’s resources and data. That way, you have visibility into what’s accessible and what’s not as well as the ability to turn access on and off as necessary.
-
Ongoing policy updates: Don’t take a set-it-and-forget-it approach to access control. Your access policies should be revised regularly to keep up with the context of your outsourced services. This process is essential for keeping IT personnel up-to-date with the list of active and inactive third parties. Forgetting to shut down access to third parties you’re no longer working with creates vulnerabilities that can lead to larger breaches.
-
Multi-factor authentication: This is a key component of a zero-trust security model, with 63% of companies reporting that third-parties access their data in the cloud. However, just 53% say they’re using multi-factor authentication to guarantee secure access. To safeguard your network against third-party attacks, your endpoints should all be protected with multi-factor authentication.
-
Digital certificates: Third parties need to remotely access your network ‘there’s no way around it. But with digital certificates, you can initialize SSL connections between browsers and your servers. Relying on browser isolation lets your third parties work freely without sacrificing security.
-
Detailed monitoring and reporting: Don’t take an all-or-nothing approach to access control. You want your third parties to have access to everything they need but nothing more. Segregating your network helps make this possible. But it’s also important to keep detailed logs of remote access sessions, which can be used as reference points in case of suspicious activity.
Remote access solutions should be rolled into every modern endpoint security strategy. Even with the most advanced cybersecurity systems protecting your internal network, mismanaged third-party access can result in debilitating data breaches.
Learn from the likes of Target, UMG, and other victims of third-party breaches. Put remote access control and proper endpoint security in place so you can outsource safely.