By Ryan Francis
June 9, 2017
"Every organization must ensure it has identified the outside parties with access to systems and data and have secure procedures in place, strict policies for these users to follow, and effective technology in place to monitor and detect if the third parties are putting their organization at risk," he said.
It is the cost of doing business that leaves your network vulnerable to third parties, said Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems. Manufacturers connect directly to suppliers to manage just-in-time production. Accounting departments connect to external invoicing and receipt systems, and the marketing team has given all types of automated solutions access to the network infrastructure.
"Organizations need to assume that they have been already breached by a third-party leaving a hole in your network, and therefore they need to move to detection and response area solutions that consider the big picture, delivering complete visibility by detecting across the entire network, endpoints and payloads."
Richard Henderson, Global Security Strategist at Absolute, agrees. "In the majority of cases, companies will have no way to learn if those partners have a breach or fall prey to attack. Add to this that regulators (and customers) really don't care if someone else was responsible and it seems like an unwinnable battle. After the damage is done, organizations are left picking up the pieces and will be the ones called to task and held accountable."
Carl Herberger, vice president of security solutions at Radware, said that business units are under a lot of pressure to leverage new solutions to speed time-to-market and reduce costs. Typically, security is a secondary consideration.
"Most of these business teams don't have the skills or knowledge to assess security requirements and can result in partnering with a vendor who may leave the company's networks open to attack," Herberger said.
If an enterprise lets a third party onto their network, regardless of the reason, that third party then becomes an integral part of their security perimeter, notes Amir Jerbi, CTO of container security company Aqua Security. "Organizations should therefore vet third parties for their security measures and practices and ensure they are aligned with their own, and furthermore, periodically check and test those practices to verify they are still in compliance. These checks may (and should) cover systems, process and people."
Alertsec's CEO Ebba Blitz advises to make sure everyone plays by your rules. If full disk encryption is mandated for your own staff, make sure that your third parties do the same. "All too many third parties log into your network from unknown devices - devices that you don't manage and can't control, unless they are enrolled in your network. Make sure data only flows to encrypted devices, whether they are enrolled in your IT infrastructure or not."