How To Reduce Third-Party Risk - Part 1 of 4

Part 1: Non-Employee Accounts a Blind Spot in Most Security Programs

The days when an organization could create a closed internal system to control access to resources are long gone. Enterprises across all industries are increasingly using external resources such as contractors, freelancers, and vendors for work. These ‘non-employees’ often have access to internal systems, including sensitive data. With this access comes greater risk to the organization.

Growing Non-Employee work trends 

Contractors and freelancers are becoming a normal part of business: The Intuit 2020 report describes the trend for freelance and part-time gig economy workers taking hold, with 80% of companies expanding their use of a flexible workforce. This brings with it the challenge of identifying users outside of corporate control.

Cloud adoption is increasing Shadow IT challenges: Cloud services, according to a Cisco report, were found to be the most prevalent Shadow IT system. These are devices unmanaged by IT staff, and present significant access control challenges. Shadow IT is also compounded by non-employees in home or other office environments, collaborating across multiple cloud infrastructures.

Remote work amidst the COVID-19 pandemic adds complexity: The ‘home-network’ is harder to control. Many companies have placed workers, including non-employees, on semi-permanent home working regimes. Facebook, for example, said they expect their workforce to work remotely until the end of 2020. These arrangements require companies to increase remote access connections to networks, inherently increasing the threat landscape.

Multi-faceted access control issues

This mosaic of non-employees across an organization creates complex access control issues. The old way of using Identify and Access Management (IAM) systems, integrated with HR technologies, to identify and manage employee accounts, was able to standardize access control. Outside of the controlled lifecycle of an employee, non-employee access control and onboarding is not as simple. The issues that are inherent within a non-employee lifecycle management scenario and the associated, often unanswered, questions are multifold:

• Verification: How do you efficiently and consistently verify the identity of third-party users?‍
• Authentication:What types of credentials are acceptable when you have a wide range of personnel types, some of which may use non-corporate devices?‍
• Multi-directional relationship management: The lifecycle of a non-employee is dynamic, and changes are bound to happen. When there are management changes, for example, how can you ensure the systems and data are accurate?‍
• Dynamic work arrangements: Non-employees may work from multiple locations, overtime periods that are split by non-working gaps. How can you on and off board quickly and seamlessly?‍
• Managing non-traditional “users”: Some assets may not be tied to a specific individual. How can access to IoT devices such as cameras and kiosks be controlled effectively? How can generic administrator account access be managed?

Data and insider threats

The use of access control measures that are robust and verified is essential as the employee landscape continually extends. While insider threats were an issue pre-cloud computing and today's extended enterprise, the risk continues to grow at a concerningly rapid pace.

The 2020 Insider Threat Report, offers some stark warnings about the threat from insiders:

• ‍68% of organizations confirm insider attacks are becoming more frequent‍
• 53% of organizations believe detecting insider attacks has become harder since migrating to the cloud‍
• 63% of organizations think that privileged IT users(such as system administrators) pose the biggest insider security risk to organizations

These numbers are evidence of the growing threat to data from insiders, including contractors. Now is the time to batten down the identity hatches and develop a strategic approach to third party access management.