Protecting the modern workforce requires a new approach to third-party security

Just ask an HR leader, they’ll tell you that attracting and retaining employees remains a top challenge. While this has never been easy, there’s little doubt that the COVID-19 pandemic (and dispersed workforce) has made things even more complex. As you read this article, many employees are actively considering leaving their current positions that do not support their long-term goals or desired work-life balance. As organizations try to navigate this “big layoff,” more than 4 million workers are still resigning each month.

As 2022 progresses, recruiting teams will face another massive hurdle: global talent shortages. These trends are making companies rush to find creative contingency solutions to ensure business continuity in difficult times. It should come as no surprise that more companies are relying on third-party vendors, suppliers and partners to meet short-term needs, reduce costs and fuel innovation. In addition, the rise of the gig economy is driving more workers into non-traditional or temporary work relationships. This trend is especially rife in the healthcare sector, as a staggering 36% of U.S. workers have a job deal of some form, in addition to or in lieu of a full-time job.

In addition, the business supplier ecosystem has become exponentially more complex. Amid the supply chain vulnerabilities exposed by the pandemic, organizations are expanding and diversifying the number of supplier relationships they establish. Meanwhile, regulators have stepped up their efforts to manage these business ecosystems.

In many cases, outsourcing to temporary workers or external partners is a good business from a business point of view. Sometimes, given the limitations of the talent pool, there is simply no other option for a company. Either way, organizations need to be aware of the security risks third parties pose – and the steps they can take to minimize the chance of a breach.

Third-party security vulnerabilities remain widespread

Rapid onboarding of third-party personnel — and without proper governance or security controls — exposes organizations to significant cyber risk. These risks can arise from the external users or vendors themselves or those third parties’ access being compromised and used as a conduit for lateral movement, allowing attackers to gain access to the company’s most sensitive data. Unfortunately, a lack of centralized control over suppliers and partners is all too common, regardless of industry. In many organizations, unlike full-time employees, remote users are managed on an ad hoc basis by individual departments using manual processes or custom solutions. This is a recipe for increased cyber risk.

Take the now infamous Target breach, which remains one of the largest third-party security breaches in history. In this incident, attackers entered the retail giant’s network after compromising the credentials of an employee of an HVAC contractor and eventually stealing the payment details of 110 million customers.

In today’s world, where outsourcing and remote working are the norm, third parties need access to the corporate network to do their jobs. If companies don’t rethink third-party security controls — and take action to address the root of the problem — they’ll remain open to cyber vulnerabilities that could destroy their business and reputation.

An ubiquitous lack of visibility and control

While reliance on remote workers and technology is rife in nearly every industry (and in some it’s common for an organization to have more remote users than employees), most organizations are still unsure of exactly how many remote relationships they have. Worse, most don’t even understand exactly how many employees each supplier, supplier or partner brings into the relationship or their level of risk. According to a survey by the Ponemon Institute, 66% of respondents have no idea how many third-party relationships their organization has, although 61% of those surveyed have experienced a breach attributable to a third party.

Understanding the full scope of third-party access can be especially challenging when collaborating with outsiders through cloud-based applications such as Slack, Microsoft Teams, Google Drive or Dropbox. Naturally, adoption of these platforms skyrocketed with the large-scale shift to remote and hybrid work that has taken place over the past two years.

Another challenge is that, although an organization may to attempt to maintain a supplier database, it can be nearly impossible to ensure it is both current and accurate with today’s technical capabilities. Processes such as self-registration and guest invitations keep external identities disconnected from the security measures applied to employees.

Increasing Regulatory Interest and Contractual Obligations

As incidents and breaches attributable to third parties continue to increase, regulators are watching. For example, Sarbanes-Oxley (SOX) now includes various controls that are explicitly aimed at controlling third-party risks. Even the Cybersecurity Maturity Model Certification (CMMC) is explicitly aimed at improving the cybersecurity maturity of third parties serving the federal government. The ultimate goal of such regulations is to bring all third-party access under the same compliance controls required for employees, ensuring consistency across the workforce and quickly mitigating violations.

Today, we expect companies to encourage their suppliers, vendors and partners to implement stricter security controls. However, in the long run, such approaches are untenable as it is difficult, if not impossible, to enforce standards within an outside organization. Therefore, the focus must shift to ensuring that identity-based perimeters are robust enough to identify and manage third-party threats.

Currently, decentralized identity solutions are becoming mainstream. As these technologies become more widely accepted, they will continue to mature. This will help many organizations to streamline third-party management in the future. It will also help companies on their journey toward zero-trust compliant identity attitudes. Incorporating continuous security monitoring and implementing continuous identity verification systems will also become increasingly important.

Five Steps to Mitigate Third-Party Risk Today

Today’s challenges are complex, but not unsolvable. Here are five steps organizations can take to improve third-party access management in the short term.

1) Consolidate third-party management. This process can start with finance and purchasing. Anyone with a contract to provide services to a department in the company must be identified and cataloged in an authoritative registry system that contains information about the access rights assigned to external users.

Security teams should test for outdated accounts and provide features that are no longer needed or in use. In addition, they should assign sponsorship and joint responsibility to external administrators.

2) Establish vetting and risk-aware onboarding processes. Both the organization and the vendor/supplier should establish workflows for vetting and onboarding external users to ensure they are who they say they are – and that their onboarding process follows the principle of least privilege. Implementing a self-service portal where external users can request access and provide the required documentation can pave the way to productivity. Access decisions should be based on risk.

3) Define and refine policies and controls. The organization – and its suppliers and suppliers – must continually optimize policies and controls to identify potential violations and reduce false positives. Policies and controls should be periodically tested and security teams should also review employee access. Over time, automatic recovery can further minimize administrative overhead.

4) Set compliance checks across your workforce. Look for a third-party access control solution that enables consistency between employees and external users, especially as regulators increasingly require it. Having access to out-of-the-box compliance reports for SOX, GDPR, HIPAA, and other relevant regulations makes it easier to enforce appropriate controls and provide necessary audit documentation.

5) Implement privileged access management (PAM). Another critical step that organizations can take to increase their cybersecurity maturity is to implement a PAM solution. This allows the organization to automatically enforce least privileged access and zero privilege for all relevant accounts.

The world of work will never look like it did in 2019. The flexibility, agility and access to world-class talent that companies gain by embracing modern ways of working make the changes more than worthwhile. And enterprises can realize tremendous value within today’s complex and dynamic business relationship and supplier ecosystems. They need to ensure that their cybersecurity strategies can keep pace by strengthening the identity and access management of third parties.

Paul Mezzera is VP Strategy at Saviynt†