We will be in-person July 19 and July 20. Join leaders of data and artificial intelligence for talks and opportunities. You can register today.
Ask any HR leader, and they will tell you that attracting and retaining employees is still a challenge. The COVID-19 Pandemic have made things even more complex, and this has never been easy. Many workers are considering leaving their current roles because they don’t support their long-term goals or desired work-life balance More than 4 million workers are still leaving every month, despite the attempts of organizations to navigate the Great Resignation.
Global talent shortages are one of the biggest obstacles that hiring teams face in the years to come. Companies are rushing to find creative stop-gap solutions to ensure business continuity during difficult times. It shouldn’t be a surprise that more companies are relying on third-party vendors, suppliers and partners to meet short-term needs, reduce costs and keep innovation humming The rise of the gig economy has led to more employees entering into working relationships. In the healthcare industry, as many as 36% of American employees have a gig work arrangement in some form, either alongside or instead of a full time job.
The corporate supplier environment has become more complicated. Despite the supply chain vulnerabilities revealed by the Pandemic, organizations are expanding and broadening their supplier relationships. Regulators have stepped up efforts to manage the business.
In some cases, outsourcing to temporary workers makes sense. Given the constraints of the talent pool, there is no other option for a company. Organizations should be aware of the security risks that third parties bring, and the steps they can take to minimize the chance of a breach.
Third-party security challenges remain prevalent
Bringing a third-party workforce onboard in a rushed way leaves organizations open to significant cyber risk. The risks stem from the third-party users or suppliers themselves becoming compromised and used as a conduit for attackers to gain access to the company’s most sensitive data. No matter the industry, there’s a lack of centralized control over suppliers and partners. Third-party users are managed on an ad hoc basis by individual departments using manual processes or custom-built solutions. It is a recipe for increased cyber risk.
The Target breach is one of the largest third-party security breeches in history. Attackers made their way onto the retail giant’s network after compromising login credentials belonging to an employee of an heating, ventilating, and air conditioning (HVAC) contractor, eventually stealing over 100 million customers’ payment information.
Third parties require corporate network access to get their jobs done in today’s world where outsourcing and remote work are the norm. If companies don’t reconsider third-party security controls, they’ll be open to cyber vulnerabilities that can ruin their business and reputation.
A pervasive lack of visibility and control
Although reliance on third-party workers and technology is widespread in nearly every industry, most organizations still don’t know how many third-party relationships they have Most don’t know how many employees each vendor, supplier or partner brings into the relationship. According to a survey conducted by the Ponemon Institute, 34% of respondents have no idea how many third-party relationships their organization has.
It can be difficult to understand the full extent of third-party access when working with outsiders through cloud-based applications. With the large scale shift to remote and hybrid work that has come about over the last two years, the adoption of these platforms has skyrocketed.
Although an organization may try to maintain a supplier database, it can be hard to ensure that it is both current and accurate with current technical capabilities. External identities are disconnected from security controls applied to employees because of processes like self- registration and guest invites.
Growing regulatory interest and contractual obligations
Regulators are taking notice of the rise in incidents attributable to third parties. Sarbanes-Oxley now includes several controls that are specifically designed to manage third-party risk. Improving the cybersecurity maturity of third parties that serve the federal government is the focus of the Cybersecurity Maturity Model Certification. The ultimate goal of the regulations is to bring all third-party access under the same compliance controls required for employees so that there is consistency across the entire workforce and violations can be mitigated quickly.
Companies are expected to push their suppliers, vendors and partners to implement more stringent security controls. It is difficult, if not impossible, to enforce standards across a third-party organization. Ensuring that identity-based perimeters are robust enough to identify and manage threats from third parties will be the focus.
Decentralized identity solutions are moving mainstream. The technologies will continue to mature as they become more accepted. Third-party management will be streamlined in the future thanks to this. It will help companies on their journey towards zero trust compatible identity postures. Continuous identity verification systems and continuous security monitoring will become increasingly important.
Five steps to mitigate third-party risk today
The challenges are not unsolvable. Five steps can be taken to improve third-party access governance over the short term.
Third-party management must be consolidated. The process can begin with finance. Any contract to provide services to any department in the company should be cataloged in an authoritative system of record that includes information on the access privileges assigned to external users.
Security teams should test for expired accounts and remove any that are no longer needed. They should assign sponsorship and accountability to third party administrators.
It is necessary to institute vetting and risk-awareness processes. To ensure that third-party users are who they say they are, the organization and its supplier need to determine how to vet third-party users. A self-service portal that allows third-party users to request access and provide required documentation can smooth the path to productivity. Risk should be considered in access decisions.
Policies and controls can be defined and refined. The organization should continuously improve policies and controls to identify potential violations and reduce false positives. Security teams should also review employees access. Administrative overhead can be minimized further by auto-remediation.
Compliance controls for your entire workforce are provided by the Institute. It’s important to look for a third-party access governance solution that will enable consistency across employees and third-party users. It is easier to enforce the appropriate controls and provide audit documentation if you have access to out-of- the-box compliance reports.
Privileged access management is necessary. Organizations can boost their cybersecurity maturity by implementing a PAM solution. The organization will be able to enforce privileged access and zero-standing privilege across all accounts.
The world of work will not be the same in 2020. The flexibility, agility, and access to first-rate talent that businesses gain from embracing modern ways of working makes the changes more than worthwhile. It is possible for enterprises to realize enormous value within the complex and dynamic business relationship and supplier ecosystems. They need to strengthen their identity and third-party access governance.
Paul Mezzera is a VP of strategy.
The VentureBeat community is welcoming you.
Technical people doing data work can share their insights with experts at DataDecisionMakers.
If you want to read about cutting-edge ideas and up-to-date information, join us at DataDecisionMakers.
You could even contribute an article of your own.
Data decision makers have more information.