In late January, we learned that millions of financial records were leaked from Texas-based data firm Ascension because its contractor, a New York-based document management startup, had misconfigured several Elasticsearch and Amazon S3 storage servers, leaving them with no password required.
Outsourcing helps organizations to stay on the edge of competition and optimize costs; startups, in particular, often provide organizations with digital technologies that help them make better products and deliver faster services. However, outsourcing increases risks to sensitive data because it requires companies to expand their digital ecosystems. Organizations are often not fully aware of how secure the business processes of company they outsource to are, but they are still held responsible in case of a data breach. Therefore, every company should take a risk-based approach when developing relationships with contractors of any size, and avoid making the following five major mistakes.
Mistake #1. Poor third-party relationship management
Even if your company patches its systems regularly and provides cybersecurity training for all employees, your contractors might not practice similar security routines, which could leave an interconnected system open to attacks and data leaks. For example, a contractor’s employee might fall for a malicious email, enabling hackers to access the joint network and steal your sensitive data.
Therefore, it’s critical to vet potential partners thoroughly. Define a set of security requirements for contractors and include them in every legal agreement. The requirements should cover all the contractor’s workflows and environments that are involved in processing your data.
Also be sure to conduct regular audits of the systems and assets included in the scope of work of your contractors and assess the security and privacy practices of third parties. Contractors who are interested in long-lasting relationships follow their clients’ guidelines and comply with the industry standards their clients are subject to. If a contractor cannot demonstrate that proper security practices are in place, the security risks almost certainly outweigh the value of the partnership.
Mistake #2. Insufficient network security
Network security is critical when you build interconnected networks with your suppliers and vendors. In particular, network segmentation is essential, since it prevents third parties from connecting their systems directly to critical parts of your company’s networks. Failure to implement network segmentation increases the risk of unauthorized access. For example, in the well-studied Target breach, a retailer’s refrigeration vendor was hacked, and lack of network segmentation allowed malware to spread through the network and access POS system information, enabling hackers to steal over 40 million credit cards from nearly 2,000 Target stores.
To avoid a similar breach, implement firewalls and configure them properly to allow your employees access to the resources they need while keeping external personnel from accessing the most sensitive parts of your network. That way, even if a contractor’s employees are hacked, no one can use their credentials to access your sensitive data.
Also implement and maintain internal network segmentation: Separate groups of systems and applications from each other and limit communication across the segments to make it more difficult for an attacker to move throughout the entire network. Finally, maintain secure configurations on your devices and software.
Mistake #3. Excessive permissions and overexposed data
Third parties who need access to your network should be granted only the privileges they need to perform their jobs. For example, if you hire a contractor to help you set up Salesforce, make sure that its employees cannot access confidential data on your file shares.
Also be sure to identify all overexposed data and proactively remove the excessive permissions on a regular schedule. As we all know, data can get copied or moved to improper locations and excessive access rights can be assigned by mistake, so you need to be vigilant, especially when it comes to third-party access to sensitive data.
Mistake #4. Lack of visibility
If you let contractors access your network, monitor their activity closely. Ensure you can audit who changes what, when and where, and check those actions against the Scope of Work (SOW) agreement that defines the work they are authorized to do and the timeline. Pay particular attention to the following anomalies:
- Activity outside of normal business hours. Each contractor’s working hours should be fixed in the SOW. If a third-party account is active outside of the agreed time, investigate promptly.
- Spikes in activity. Any sudden spike in activity could be a sign that something is wrong. For example, a spike in read activity could happen because a contractor has been hacked and the hackers are inside your environment trying accessing information your contractors never have — just as the hackers did in the Target data breach I mentioned earlier.
- VPN login attempts from unusual locations and multiple logon attempts from different locations at the same time. Contractors often use VPN to access their clients’ networks, so you need to watch for these events. If a contractor who is based in New York tries to log in from Mexico, you need to spot that anomaly and respond immediately.
Mistake #5. Ignoring basic security practices
The Netwrix 2018 IT Risks Report found that many organizations fail to properly assess their risks and set up appropriate security controls. In fact, 36% of organizations conduct asset inventory once a year or less frequently, 20% get rid of stale and unnecessary data rarely or never, and 17% have never performed IT risk assessment.
A thorough IT risk assessment that includes third-party risks is a crucial first step toward defending your critical systems and data from being compromised and implementing an effective strategy to respond to attacks. You need to assess the risks associated with each contractor and review your security controls on the regular basis. Address third-party accounts in your security policy, for example, by specifying that access must be granted on a need-to-know basis and that all third-party accounts must be promptly disabled at the end of the contract. If a certain contractor poses additional risks, you should identify all points of compromise and enhance your defenses. Avoid working with contractors if the associated risks are higher than the expected value.
Conclusion
According to a study by Ponemon Institute, the number of companies that have experienced a third-party data breach has increased by 10% over three years, from 49% in 2016 to 59% in 2018. Unless companies change their approach to IT risk management, we will continue to see an increase in the number of incidents due to third-party misbehavior. To be able to reap the benefits of collaborating with contractors, including small vendors and startups, organizations need to include security as one of their third-party selection criteria.