How to reduce third-party access risk
With organisations across the globe facing unprecedented skills shortages, and with the world of work still recovering after the disruption of the pandemic, it is not uncommon for companies to look externally to third-party vendors for support.
But with this increased reliance on vendors, contractors, freelancers, and other third-party workers, organisations are inadvertently making themselves more vulnerable to cyberattacks. In order to do the job they’ve been hired to do, these third-party entities need access to all relevant parts of the organisation they’re working for – these could be across multiple departments, across different locations, and for variable lengths of time. The matter is further complicated by the fact that these vendors will likely require different onboarding processes than internal employees, or need the same access as full-time employees, and they might employ a different, perhaps lower, level of security than the company they’ve come to work for. All of these aspects make it difficult to keep track of all third-party vendors, to gain a comprehensive view of who has access to what and who’s coming and going where and when.
Indeed, according to a survey from the Ponemon Institute, 66% of companies have no idea how many third-party relationships they have on their books or how they’re managed – even though 61% reported having a breach attributable to a third party. In addition, Kaspersky’s annual IT Security Economics report found that third-party incidents were the most costly type of enterprise data breach in 2021.
In 2022, there have been numerous third-party data breaches already. In February, for example, manufacturing giant Toyota was forced to shut down some operations in Japan after one of its major plastic suppliers suffered a data breach. Since the third-party had access to Toyota manufacturing plants, shutting down was required to protect data, although the breach also affected some operations of Toyota subsidiaries, and car production had to be reduced, impacting Toyota’s bottom line.
Managing third parties can be complicated, but neglecting it creates substantial amounts of risk – so what can organisations do?
Third-party access governance
Some companies can have up to thousands of third-party relationships, which means a huge amount of work is needed to inventory and onboard third-party vendors and their identities, including non-human ones – as even third-party IoT devices and bots have identities to be onboarded that potentially put a company’s ecosystem in danger.
The first problem here is that traditional identity governance and administration (IGA) tools are designed to only manage employee identities, so Identity Access Management (IAM) and IT security teams have had to improvise when it comes to managing today’s more digitalised and ever-growing third-party workforce. This process isn’t sustainable.
That’s why instituting an effective third-party access governance programme is vital, helping to not only manage the additional workload of today’s market but also to handle digital identities. Below are five proactive steps organisations can take to reduce risk, ensure the security of third-party access, and improve the state of third-party governance.
5 steps to reducing risk
1. Assess your current situation
The first step to reducing risk of a breach from a third-party is to be aware of the security measures your external vendors are employing. One of the biggest challenges with third-party identities is that they do not go through the same level of scrutiny as full-time employees and internal staff – meaning, in most cases, their identities aren’t part of the corporate identity and authentication directory.
While many companies have identity management solutions in place, most of the solutions are not designed to manage the complexity of governing third-party identities. It’s important to start off then, by establishing whether your organisation does have a centralised source of onboarding third-party organisations. Next, check whether third-party identity access is disabled and revoked immediately after the termination or end date, or is it left to linger. Is third-party access even regulated at your organisation, and if so, what controls are in place to limit what access third-party identities can request and access? Finally, confirm whether your IAM system provides an overview of the risk of all types of identities.
2. Consolidate third-party organisations
Once you have assessed your current situation, you can begin establishing an identity lifecycle management programme for third parties by consolidating third parties into a system of record. Here, pertinent information about the third-party organisation is captured and recorded before moving on to grant access to third-party identities.
This step can begin by drawing up a list of current third-party relationships – turning to procurement teams is a good idea as many third parties have contractual relationships. On the subject of contracts, it’s important to review contractual language to address third parties’ responsibilities for administering identity access for joiners, movers, and leavers. Requiring third parties to also disclose breaches quickly allows you to take prompt action to reduce the fallout. Next, designate a dedicated sponsor to facilitate and streamline communications with each third party, ensuring everything on that vendor is in one place and there are no crossed wires.
While this step can be time-consuming and challenging, it is invaluable in building a successful foundation for any governance programme.
3. Establish a risk-aware onboarding process
Creating a workflow for vetting and onboarding third-party users to ensure they are who they say they are is essential to good governance. For example, by providing a self-service portal where third-parties can request access and provide required documentation helps in collecting information for vetting and ID-proofing. It also accelerates the provisioning processes, reducing the administrative phone calls and emails that typically slow down the process, enabling users to become productive quickly.
This method also helps ensure that the onboarding process follows the concept of least privilege. Often referred to as ‘just-enough’ access, third-party users only need to be granted the appropriate access to complete their assigned roles – nothing more. By making role definitions specific to the actual tasks, rather than duplicating them from a similar format, third-parties will only have access to what they need, when they need it.
4. Make policies and controls defined and refined
Continually optimising policies and controls to identify potential violations and reduce false positives, can significantly reduce administrative workloads and risks. If both organisation and third-party administrators test policies and controls regularly, running periodic access reviews and ongoing certifications on a monthly or weekly basis for example, they can see where users might be over-provisioned or where there may be dormant accounts containing sensitive information that need to be removed.
It’s also important to establish compliance controls for the entire workforce, particularly as several regulatory frameworks and auditors are now focusing on third-party access – Sarbanes-Oxley (SOX), for example, which includes specific controls for managing third-party risk.
A good way to do this is to bring all third-party access under the same compliance process that employees undergo – ensuring consistency across the entire workforce and enabling security teams to mitigate risks and violations quickly, whoever the user is.
5. Implement converged governance
Converged governance is a sure-fire way to raise cybersecurity maturity. Using a platform that brings together all Identity Governance & Administration, Privileged Access Management, and Third-Party Access Governance, organisations gain complete visibility across their entire workforce as well as gaining another level of safety by immediately revoking access to systems if warranted. Security teams can grant time-based access at the outset and remove access when a third-party contract ends.
The time is now
As the integration of third-party vendors grows – including contractors and freelancers, as well as automated bots and other non-employee services – it is vital that organisations take a proactive step to addressing and applying a third-party access governance programme. By following the five steps above, while there is more to be done, companies are on their way to being able to confidently retain third-party services, reduce risk across their IT environments, wherever teams are working, and be able to effectively manage and gain visibility over all identities in their system.
