This is a challenge, especially in cases where non-employees have greater access to sensitive information than internal employees. If a non-employee is granted access to these sensitive systems for a nine-month period but finishes the job early after six months, there are three months in which the non-employee may still have access to sensitive systems. These are exactly the types of accounts that hackers look for when trying to penetrate systems and steal data, according to SecZetta.
Ryan Stolte, co-founder and CTO at Bay Dynamics, said keeping track of who is doing what is a daunting task. "Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company's most valued applications and systems."
Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company's most valued applications and systems.
Ryan Stolte, co-founder and CTO at Bay Dynamics
Effective vendor risk management begins with identifying your crown jewels and the impact to your organization if those crown jewels were compromised, he said. Then, look at which vendors have access to those crown jewels and continuously monitor not just the vendor users' activity, but also their team members and fellow users in the larger group. If your security tools flag an unusual behavior coming from a vendor user, it's important to engage the application owner who governs the application at risk, asking the owner to qualify if the behavior is unusual or business justified. If the behavior is unusual, that threat alert should go to the top of the investigation pile.
"It's important to consider that often third-party vendors are non-malicious threats. Oftentimes, vendor employees are less conscious than full-time employees of good cyber security hygiene and therefore unintentionally expose your company to risk," he said.
Viewpost's CSO Chris Pierson said that having a well-developed vendor assurance program is necessary to oversee, quantify, communicate and mitigate risks. This program should consider the company mission, goals and objectives for the vendor, and provide a review process that looks at all types of risk - cybersecurity, privacy, regulatory/legal, financial, operational and reputational.
All vendor risks should then be scored, owned by the business line executive responsible for the product/service, and depending on level of harm, socialized and even approved by a governance risk committee. "By rating your vendors based on the criticality of the product/service they provide and the risks, the company can more adequately manage these risks, request mitigating controls, or off-board the vendor," said Pierson.
Rod Murchison, vice president of product management at CrowdStrike, said when it comes to security, being knowledgeable after an event happens is insufficient. "Real-time visibility into the security posture of your network is something every organization should strive to achieve and maintain going forward," he said.
Sign up for Computerworld eNewsletters.