Third-Party Security Risk: How to Protect and Respond
Third party security risk is an issue that frequently comes up in my discussions with clients. The topic is usually raised through questions like these:
“I have a contractor starting on Monday. How do I give them the access they need to get the work done while still keeping our environment secure?”
“How do I enable secure access for a third party if I want them to maintain a particular asset?”
“How do we restrict access to protect our IP when working with a third party?”
Snapshots like these indicate a much bigger picture, with most organizations at the center of a vast ecosystem sharing data with service providers and subcontractors to improve service delivery and reduce costs. Effectively, these third parties are trusted with the client’s corporate crown jewels – key information that may concern its employees, solutions, end users, company strategies, and much more besides. Safeguarding the privacy and security of that information is a business-critical responsibility.
How serious is the challenge?
There’s plenty of objective proof to support this anecdotal insight.
The Sunburst attack showed just how broadly based and deeply damaging an attack involving third parties can be.
Meanwhile, Prevalent noted that companies are currently big on exposure but small on preparation, with a staggering 45% still relying on manual spreadsheets to assess third party risk. This renders risk audits more time-consuming and less effective.
That lack of preparation is particularly disconcerting at a time when KPMG is calling on security leaders to respond to increased threats by making a step change in their operating models and approach to third-party risk.
How simple is the solution?
In this situation, taking effective action starts with a simple statement of the problem.
Most third-party breaches feature two vulnerabilities:
Device vulnerability due to lack of patching
A lack of security on a client’s edge
An effective security solution to protect against these breaches must therefore be built on three essential pillars:
Identity assurance: We need to be sure that third parties are who they say they are by implementing phishing-resistant authentication. This is particularly important now that many bad actors are attempting to bypass MFA with tactics such as MFA fatigue.
Device posture: We need to make sure that third parties will be alerted when the devices they’re using need updating to protect their security posture. This protects the corporate apps third parties will need to access in order to do their work.
User behavior: We need to create a historical baseline of user behavior and surface unusual access attempts by looking at variables. These include who typically accesses which applications from which devices at what times from what locations using which authentication methods. Visibility into abnormal access attempts then enables admins to detect suspicious activity and tighten access policy. Deploying a secure access solution that is able to identify whether a device is registered or managed versus not known or personally owned is a huge benefit, mitigating the escalating threats which customers of all sizes face.
How quickly can it be done?
So far, so secure.
In the real world, though, security is not the only consideration for organizations working with third parties. Speed of response and speed to business impact are also critical in keeping costs down and maximizing competitive advantage.
In this respect, not all security solutions are equal. Some will indeed deliver security but cost you precious time in doing so. For instance, if you’re obliged to build a hierarchy of policies to accommodate your third-party requirement it means that you’ll likely be tackling a job with many moving parts. The downside of that isn’t just the resources it ties up and the budget it consumes. It’s the lag time between starting the job and being protected — time during which your network remains vulnerable.
Similar considerations apply with speed to impact. If an organization is working with third parties, it probably wants to control costs and have those partners add as much value as quickly as possible. That equation can quickly become unbalanced if IT is tied up for days making sure the network is safe before the third-party work can begin.
The right solution can also make regulatory compliance and cyber liability insurance easier too. But those are possibly separate topics for a different day.
Control the risk. Fast.
The good news for hard-pressed CISOs and IT admins is that the ability to create policies very rapidly for particular scenarios and apply them almost instantly has been built into Cisco Duo from the beginning.
Cisco Duo’s critical capabilities — such as strong authentication, phishing-resistant MFA, Passwordless, Single Sign-On (SSO), and Trusted Endpoints — offer an all-in-one package comprising essential secure access management for third parties and internal users alike. Equally important, this high level of security is delivered unobtrusively with minimal user friction thanks to Duo’s Risk-Based Authentication solution automatically evaluating risk signals, responding dynamically, and then adjusting secure access as required.
Managed centrally, the Duo Policy engine means admins can almost instantly reduce risk by enforcing precise policies and control, defining and enforcing rules on who can access what applications and under what conditions.
Duo Single Sign On also accelerates the third-party journey without compromising security, saving time and cost for onboarding to applications, password resets, device management and more while also providing a way forward to a Passwordless future supported by biometrics, security keys and specialized mobile applications that make access highly secure yet virtually friction-free.
Similarly, Device Trust makes it easy to enforce access control across both managed and unmanaged devices so organizations can be as confident as possible about authorizing third-party access.
I’ve seen what these capabilities mean in the real world on many occasions.
Thinking back to the scenarios I mentioned at the start of this article, I’ve seen situations where clients have told us they have a team of contractors starting a program of works imminently and we’ve been able to deliver a secure environment rapidly in response, sometimes within hours rather than days and certainly within days rather than weeks.
Or they’ve told us they need tighter controls to protect their IP with a third party working on a specific asset, and Cisco Duo has been able to spin up bespoke policies and controls almost instantly without interrupting day-to-day work.
Of course, that doesn’t happen by luck or accident.
It happens because the Cisco Duo solution is purposefully designed to build resilience for the entire business rather than simply help IT implement security.
Next steps
With the ongoing tech skills shortage plus a challenging economic environment, it’s likely that organizations will be relying on their third-party ecosystems to plug the gaps and cope with change for a long time to come.
Taking a free trial of Cisco Duo today is a quick and easy way to find out how those relationships can be secured in a way that effectively accelerates their ability to deliver value so the organization can achieve its goals.
Want to learn more?
Check out some other blogs:
The Bigger the Party, the Bigger the Risks
Healthy Device? Check With the Duo Device Health App Before Granting Access