In late January, millions of financial records were leaked from Texas-based data firm Ascension because its contractor, a New York-based document management startup, had misconfigured several Elasticsearch and Amazon S3 storage servers, leaving them with no password required.
Outsourcing helps organizations beat competition and optimize costs. However, outsourcing increases security risks because companies have to expand their digital ecosystems.
Therefore, every company should take a risk-based approach when developing relationships with contractors in order to avoid making the following five mistakes.
Mistake #1 - Poor Third-Party Relationship Management
Even if your systems are regularly patched and employees get cybersecurity trainings, your contractors might not practice similar security routines, which could result in attacks and data leaks.
Therefore, define a set of security requirements for contractors and include them in every legal agreement. The requirements should cover all the contractors’ workflows and environments that are involved in processing your data.
Conduct regular audits of the assets included in the contractors’ scope of work and assess their security and privacy practices. If contractors are interested in long-lasting relationships, they will follow their clients’ guidelines and comply with the required industry standards. If a contractor cannot demonstrate that proper security practices are in place, the security risk usually outweighs the value of the partnership.
Mistake #2 - Insufficient Network Security
Network security is critical when you build interconnected networks with your suppliers and vendors. Failure to implement network segmentation increases the risk of unauthorized access. For example, in the well-studied Target breach [note: link opens a PDF], a retailer’s refrigeration vendor was hacked. The lack of network segmentation allowed malware to spread through the network and access POS system information, enabling hackers to steal over 40 million credit cards from nearly 2,000 Target stores.
To avoid a similar breach, implement firewalls and configure them properly to allow your employees access to the resources they need while keeping external personnel away from sensitive parts of your network. Separate groups of systems and applications from each other and limit communication across the segments to make it more difficult for an attacker to move throughout the entire network. That way, even if a contractor is hacked, no one can use their credentials to access your sensitive data.
Mistake #3 - Excessive Permissions and Overexposed Data
Third parties who access your network should have only the privileges they need to perform their jobs. For example, if you hire a contractor to help you set up Salesforce, make sure that its employees cannot access confidential data on your file shares.
As we all know, data can get copied or moved to improper locations and excessive access rights can be assigned by mistake.
Mistake #4 - Lack of Visibility
If you let contractors access your network, monitor their activity. Ensure that you can audit who changes what, when and where, and check those actions against the Scope of Work (SOW) agreement that defines the work they are authorized to do and the timeline. Pay particular attention to the following anomalies:
Activity outside of normal business hours. Contractors’ working hours should be fixed in the SOW. If a third-party account is active outside of the agreed time, investigate promptly.
Spikes in activity. Any sudden spike in activity could be a sign that something is wrong. For example, a spike in read activity could happen because a contractor has been hacked and the hackers are accessing information your contractors never have — just as the hackers did in the Target data breach I mentioned in #2.
VPN login attempts from unusual locations and multiple login attempts from different locations at the same time. If a New York-based contractor tries to log in from Mexico, you need to spot that anomaly and respond immediately.
Mistake #5 - Ignoring Basic Security Practices
The Netwrix 2018 IT Risks Report found that many organizations fail to assess their risks and set up appropriate security controls. Many organizations conduct asset inventory once a year or less frequently; 20% get rid of stale and unnecessary data rarely or never, and 17% have never performed IT risk assessment.
You need to assess the risks associated with each contractor and review your security controls on the regular basis. Access must be granted on a need-to-know basis and all third-party accounts must be disabled at the end of the contract. If a contractor poses additional risks, enhance your defenses. If the associated risks are higher than the expected value, avoid working with this contractor.
Businesses need to change their approach if we want to mitigate risk of third-party misbehavior. To benefit from collaboration with contractors, organizations should include security as one of their third-party selection criteria.
About Ilia Sotnikov
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management. He is Vice President of Product Management at Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, California.