It’s not uncommon for organizations to provide business partners and vendors with access to IT systems and data. In some cases, a partner could be storing the other organization’s sensitive data. The assumption is that the third party will act responsibly, but that’s far from guaranteed. Giving outsiders access to any IT systems increases the risk of sensitive data falling into the wrong hands.
Remember the big Target breach from 2013 that was traced back to an HVAC vendor’s compromised credentials? Target finally had to pay the piper last year to the tune of an $18.5 million settlement.
According to a Ponemon Institute survey, 73 percent of IT security professionals said security incidents involving business partners and vendors are becoming more prevalent. However, 65 percent struggle to identify and mitigate these risks, and most can’t count on these third parties to notify them of a security breach.
Problem is, organizations don’t have much control over the security practices of their business partners and vendors. Because these partners often have as much access to sensitive data as employees, there’s always the risk of insider threats. A partner or vendor could have an axe to grind. They might try to steal data and sell it to the highest bidder, or simply become a competitor.
Of course, much of the risk involved with third-party access to IT systems has nothing to do with malicious behavior. Many users are just careless. They use personal email, file-sharing tools, and external drives to share data, or they forget to log off computers and applications. They might even share login credentials with other members of their organization.
Even worse, careless users could fall victim to ransomware and other phishing scams. They could click malicious links or download malicious files. They could be tricked into handing over their credentials to a hacker. This would allow the hacker to use legitimate credentials and a trusted connection to access sensitive data, making the threat extremely difficult to detect.
When a business relationship requires you to provide another organization with access to your IT systems and data, you must establish security expectations first. Use surveys and onsite visits to assess the partner’s ability to adhere to your security standards and compliance requirements. Require partners to demonstrate this ability.
Ask a lot of questions. What is their identity management strategy? Do they have an incident response plan? How will you be notified in case of a breach, and by whom?
What security training does this partner require of employees? Are security best practices documented? Has this partner prioritized mobile in their security strategy to reduce risk involving remote access? Who manages IT security for their company? What are their qualifications? Do you they use a managed security services provider? Is security an organizational priority engrained in the culture?
Giving business partners and vendors access to your systems and data is often necessary but it creates very real security risks that can be difficult to manage. Before you hand over a set of keys to an outsider, make sure they know the rules of the road and are committed to maintaining a clean driving record.