A First-Person Account of Third-Party Identity Risk Management
In a 2018 study by Onus & Ponemon on data risk in the third-party ecosystem, more than 75% of companies surveyed said they believe third-party cybersecurity incidents are increasing. Those companies were right to believe that.
As our world becomes more digitized, and thus more interconnected, it becomes increasingly more difficult to safeguard organizations from cybercrime. Tack on to that challenge a global pandemic that all but forced organizations to become “perimeter-less,” if they weren’t already, and the potential access points for bad actors through third-party access increases exponentially. The problem is two-fold. The landscape of third-party users is vast and continues to grow. From third-party non-employees like vendors, contractors and affiliates to non-human third parties like IoT devices, service accounts and bots, more organizations are engaging third parties to assist with their business operations and help them to innovate, grow faster, improve profitability, and ultimately create greater customer value – faster.
On average, companies share confidential and sensitive information with more than 580 third parties and in many cases, an organization’s third-party workers can actually outnumber their regular, full-time workforce. Yet, despite the increased use of third-party workers in business, most organizations lack the proper third-party risk culture, processes, and technologies to protect themselves against the long list of third parties with access to their sensitive data and systems. Organizations have these systems in place to manage their full-time employees but lack the same level of rigor to manage these higher-risk third-parties. As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, that access is frequently not terminated when the third party no longer needs it. Without the right third-party identity lifecycle management procedures in place, businesses unwittingly expand their attack surface, unnecessarily put sensitive information at risk, and create additional access points for hackers.
As a panelist, David Pignolet, founder and CEO of SecZetta, brings an expert third-party identity risk perspective to a range of fast-evolving security topics, including:
- Zero Trust: Without an authoritative source of information for third-party workers, Zero Trust programs cannot be implemented across an organization’s entire workforce. Artificial Intelligence: Bots (both chatbots and transactional bots) are third-party non-employee identities that use AI to replicate human behaviors and can be found on websites, messaging applications and mobile apps. If not properly managed and monitored, cybercriminals can turn bots into “evil bots” and use them as a springboard to scan a network for security vulnerabilities that can be exploited at a later date.
- Identity Governance and Administration: The identity governance of third-party users is far more chaotic and less linear than that of regular employees. Enterprises often lack formal procurement vetting and identity management processes for third parties, and responsibilities are often distributed across lines of business, Legal, HR, Compliance, and Information Security. A third-party relationship needs to be managed by resources within (sponsors) and outside (delegates) the organization. Current disconnects in this process and lack of transparency into third-party identities often heighten risks including over-provisioned and orphaned accounts.
- Cyber Supply Chain Risk Management: Organizations that rely on a robust supply chain sector can have upwards of 2-3 supply chain workers for every one employee, but like with most other industries, these organizations often lack the proper onboarding systems and processes for their supply chain workers. To mitigate the risks third parties present in their supply chains, manufacturers must improve the granularity, transparency, consistency, and agility of their third-party risk management effort. In particular, manufacturers can’t overlook the safety and IP protection concerns related to granting third parties access to facilities.
- Privileged Access Management: Organizations grant their employees certain security privileges and access based on their roles and typically have well documented processes for revoking those privileges upon termination of employment. However, too many organizations lack the protocols and processes for revoking privileges and access to non-employee workers once their jobs are complete, leaving an organization vulnerable to cybercriminals who can gain access through unauthorized access privileges.