Security Best Practices for Third-Parties: Protecting the Enterprise
The entire chain of security starts at the top - enterprise-level companies that hire contractors, vendors and other third-parties must ensure their counterparts are operating at a sufficient level of security. Countless cases of large-scale breaches due to vendor security holes serve as cautionary tales:
- Target’s HVAC vendor was phished; credentials exploited to access their billing network
- Jimmy John’s POS vendor (Signature Systems) was targeted with stolen credentials, allowing an attacker to remotely access POS systems of their clients
- Goodwill was breached via their POS vendor, C&K Systems, leading to the theft of over 800,000 customer records
While enterprise security budgets may be on target for protecting their own organization, the scope of risk areas should be broad enough to include any vendor or employee that has remote login access to any enterprise applications. That includes any subcontractors that may work for the contractor, as credential-sharing is common across companies.
A few of the best security practices should be in place, as CSOOnline.com reports:
Implement two-factor authentication to protect any login that accesses enterprise applications.
Equip contract employees with two-factor authentication to ensure application security no matter where they’re located - on-premises or the cloud. Speaking of the cloud, cloud-based solutions are much more affordable and easier to deploy than legacy solutions that use hardware tokens.
Plus, providing two-factor authentication for contact employees means you have complete control over their access. Configure lockout and fraud settings to prevent brute-force (password guessing) attacks, or limit their ability to authenticate to using Duo Push only to log in (the most secure out-of-band authentication method) by customizing your authentication policy.
Although other access security best practices may call for ‘strong, complex’ passwords, two-factor authentication ensures app security regardless if passwords are compromised. Check out What to Look for in a Modern Two-Factor Authentication Solution.
Enact a least privilege model for users and privileged users (administrators).
Users don’t need access to the same type or amount of information that administrators might need access to in order to do their daily jobs.
Limit the amount of access, and challenge users with two-factor authentication for certain transactions or requests for sensitive data. This is also useful for logging purposes that detail user activity - e.g., your company can see who is accessing financial data, and if they have permission to even be viewing it.
For contract employees, limit the amount of data they have access to, or limit the time during which they have access to your applications.
If you’re regulated by industry standards, check the rules for contracting with third-parties.
The healthcare industry calls third-party vendors ‘business associates’ (BAs) and HIPAA requires these BAs to meet certain security standards, as they fall within the scope of the HIPAA Security Rule and Privacy Rule. Healthcare organizations can now be held liable for the actions of their BAs - meaning, if the BA leaks patient data, you could be fined.
They are also required to sign business associate agreements (BAA), contracts that dictate parameters of patient data access and breach notification policies.
E-commerce and others that deal with payment card data may enlist third-party service providers (TSPS), as the PCI DSS rules call them, to manage their cardholder data environment. TSPSs have to meet compliance, as well as produce Reports on Compliance, as the Information Supplement: Third-Party Security Assurance (PDF) dictates.
Establish policies, conduct regular risk assessments and user security training.
Aside from the technical, establishing security policies that align with your business objectives should be some of the first steps.
While conducting a risk assessment of the potential threats and vulnerabilities to your specific environment, identify where third-parties may fit into your work model.
Carry out user security training, and impart knowledge to your contract employees as well - training staff on how to spot a phishing email, as well as to never type in company credentials to a website linked in an email can be invaluable advice.
Check out more information about securing third-parties and vendors:
Lack of PCI & PA-DSS Compliance in Recent POS Vendor Breach
POS Remote Access Software: Vulnerable Without 2FA
Lax Healthcare Vendor Security Leads to Data Breaches & Tax Fraud