In the Next New Normal, Look for More Regulation of Third-Party Vendor Security Measures
By: Ali Gomulu
According to a Deloitte “Third Party Governance and Risk” report, 83% of organizations experienced a third-party incident in the past 3 years, 11% of them with a severe impact, and 35% with a moderate impact on customer service, financial position, reputation, or regulatory compliance.
This happened before our world was turned upside down by the global pandemic.
It makes sense for companies to work with third-party suppliers, sales channels, distribution channels, and integrated IT systems to advance their competitive position, or to lower costs.
While there are many benefits, these relationships also present new risks to enterprises in an increasingly digitally connected world.
Regulators get this and are implementing stricter standards, especially as news of breaches comes out nearly every day – huge breaches which compromise consumer privacy. The EU’s General Data Protection Regulation (GDPR) is one example, the California Consumer Privacy Act is another. These regulations hold companies responsible, not only for their own actions but also for the actions of any party doing business on their behalf.
Risk can come from third-party service providers and even IT platform providers that those service providers use to run their businesses.
When companies are trying to evaluate third-party risks during COVID-19, having multiple clouds, applications, connected systems, and remote workers creates even more risk.
Let’s look at a few examples.
In 2019, a data breach at a billing contractor exposed the private data of nearly 12 million customers of a Fortune 500 company that provides clinical lab services, and despite the breach being caused by the billing contractor, the lab paid the price.
One of the biggest challenges in risk management is that companies often experience different points of vulnerability as they work with large numbers of other companies, service providers, and contractors.
Extending Privileged Access Management (PAM) solutions to third parties is key. Visibility into third party activities, including those being done by privileged users, must be continually monitored – and the monitoring must be automated with measures that can be implemented quickly when threats are first detected.
When thinking about the return on investment in managing third-party risk using PAM for vendors, consider that the total costs of non-compliance include not only damage to the brand, bottom line, and fines from regulators, but also investigation and monitoring costs associated with stricter regulations.
As your organization recalibrates for the next new normal, are you thinking about these key issues associated with third-party access to systems?
- A contractor may accidentally or maliciously cause an outage or a data breach
- With access to enterprise systems, a malicious contractor could pose as an employee to improperly access sensitive data
- A former employee of a third-party firm could retain access rights if they do not have the proper procedures and software in place
- A contractor may be tempted to work with large criminal organizations, a risk that is rising as uncertainty grows and earning a potentially large sum of money could cause that individual to give in and give up sensitive data
- From a compliance perspective, not knowing who is accessing confidential data or modifying systems or stealing data could be expensive and devastating, especially at a time like this
Ironsphere’s PAM solution provides a streamlined way to authorize, monitor, manage, control, and report on the activities of all privileged users, including third-party contractors.
With highly intelligent automation and smart policies across the entire environment, access can only be granted when needed. Access can be instantly revoked when the need expires, or when the system detects unusual behavior before the worst happens.
Be prepared – and streamline your security operations by implementing PAM with our modern approach, which is also implemented in days or weeks – not months or even years. We don’t have another minute to spare.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.