Friends or Frenemies: Third-Party Network Access
- Chris Ecker
- October 19, 2016
We can all agree, protecting the personal data of your employees and constituents is essential to modern business. Most likely, you are currently taking action to secure your internal networks. But what about your vendors’ networks?
Third-party vendor breaches are on the rise. In fact, 63% of all data breaches are the result of hackers accessing data through vendors and contractors. In 2015, third-party breaches affected several big-name corporations such as AT&T, CVS, and Jimmy John’s.
Third-party network attacks take place when hackers access a vendor network that has direct access to your organization’s records, data, or systems. For example, many associations or nonprofits use a third party for point-of-sale transactions. This vendor has access to sensitive data containing the personal information of anyone who has made a POS transaction through your organization. If that vendor gets hacked, your association or nonprofit could risk compromising the confidential data of your constituents.
How do you protect your organization from third-party network breaches? DelCor recommends several actions that can help ensure you are secured.
Identify The ThirD-party Networks WHO Access to Your Data
Do you know which vendors have access to your systems, as well as what information they are able to access? You must! We recommend reviewing all the vendors you currently employ (don’t forget applications!) and auditing their access. Additionally, audit who within their organization is able to access your network. During your audit, ask the following questions:
- Which vendors have access to our network? Have we discussed security with them?
- What warranties or protections do our vendors offer in the event of their negligence? Do they carry errors and omissions coverage to protect us against claims stemming from their negligence?
- Do we automatically give ‘domain admin’ access to any vendor?
- Do we enable and disable accounts as needed, or leave accounts open?
- Do we use audit logging? (An audit log records all ‘events’ in an IT system: resources accessed, destination and source addresses, timestamp, and user login information.)
Help Administer Vendor Access
Mitigating third-party risk is dependent on your association or nonprofit establishing clear policies and protocols for administering vendor access. Ensure you are taking the correct actions to protect your organization and your data from the threat of breaches linked to third party access. We recommend these steps:
- Establish a documented method for vendors requesting access to your network.
- Do not provide too many privileges. Vendors will most likely need administrator-level access on the systems that host their applications, but they should not need elevated access across other systems in your organization.
- Require resets for their passwords, just like all your other employees.
- Request information from your vendors about how they store the credentials to access your system and who has access to those credentials.
- Review your vendor contracts to make sure they include data security commitments and warranties. Make it clear to your vendors that they must take security seriously.
As technology-based decision-making, member service, and outsourcing at nonprofits and associations grows, vendor access will increase—as will external threats to your data and system security. It is critical to implement your own internal security measures to protect your data from being vulnerable to a third-party data breach. For more information on protecting your association or nonprofit, check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives.