Companies rely on relationships. But that circle has expanded to include a vast and vulnerable network of independent contractors, temporary employees, vendors, bots, and non-humans. While indispensable, these partnerships can also prove incendiary. Even the most reputable companies have gotten burned in the last year. Third-party software vulnerabilities accounted for 13% of breaches in 2022, with each occurrence costing businesses an average $4.5 million.
Once they’ve gained access, these bad actors can lock down your systems, steal company data, and exact double extortion: pay once to get your systems back, pay again to get your data back. Your reputation may never be the same.
Acknowledging the depth and breadth of this risk can be the hardest step. And since you can’t manage what you can’t see, our first blog in this series shared a six-step checklist to help you take an accurate inventory of all your third-party relationships. You may be surprised just how many there are — and how many have keys to your kingdom. The process of creating a comprehensive system of record of all these relationships is time-consuming, but remains absolutely foundational to your program’s success.
The next step is onboarding organizations and users to your Identity and Access Management (IAM) system. Before granting access, you need to be fully cognizant of the risks you face — and the protections you need in place.
Often third-party vendors have access to your protected information without having to implement the same security protocols that you do. However, managing relationships with hundreds of third-party vendors is complex and can be rife with miscommunication. Companies may struggle to monitor security practices, detect suspicious activities, and respond to security breaches promptly. They may end up paying the price for this shortcoming with their customer data.
What to do: Once you’ve gathered a comprehensive system of record, you need to select a sponsor inside your company to play point on communications with each third party. This internal sponsor can help evaluate the third party’s security controls, review the level of access, and prevent privilege sprawl and orphaned accounts moving forward.
Make sure you and the third-party organization establish a process for verifying and granting user access so that you’re assured that a) they are who they say they are and b) they’re only allotted the necessary access to perform their assigned tasks — nothing more. Roles and responsibilities should be clearly defined and tailored to the tasks rather than being overly broad or duplicated for similar functions.
Since the opportunity for data theft keeps widening, don’t rely solely on occasional security ratings to manage vendor risks. Consider adopting a platform that provides visibility into all the controls you have in place, the weakness/effectiveness of those controls, and the frequency of attack or compromise.
If you’re required to adhere to certain industry regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the General Data Protection Regulation (GDPR), then so should your third parties. In some cases, you may be held liable for their non-compliance. In addition to fines from regulatory agencies, legal action from affected parties, and a tarnished reputation, you’ll likely be required to enact costly security protocols around identity and access, monitoring, and incident response.
Companies need to ensure that third parties are meeting all the same regulatory standards that they do — and this can be challenging and expensive.
What to do: Before granting access, work closely with your third parties to set expectations and ensure that they’re aware of your security policies and standards. To minimize the risk of a compliance violation, these should be written into all your third-party contracts.
Onboarding a third party often involves integrating their systems with yours. But if their procedures aren’t compatible with your own (different software or tools, different reporting or testing protocols), you may be looking at the potential for system downtime or data loss during the integration process.
How dependent are you on your third party? If your organization’s survival relies too heavily on a vulnerable supplier, you’re risking major business continuity issues in the event of a hack.
What to do: Before going live, plan, test and validate the integration to ensure that it meets the company’s requirements and that the third-party organization’s systems are compatible. Continuously monitor performance so you can identify and resolve issues as soon as they arise, and develop an incident response that would inform all relevant stakeholders, provide next steps, and minimize the impact of a disruption. Set a contractual service-level agreement regarding notification of any breaches occurring in a third party’s system.
Onboarding third parties to your IAM system may also involve manual processes, such as creating and assigning user accounts and permissions. When individuals aren’t trained well, if communication or monitoring is poor, or if someone misses a key requirement in the third party’s contract (or simply makes an access mistake), this could result in data entry errors, breaches, and compliance violations.
What to do: Get automated. Implementing a self-service portal for access requests can streamline the information collection process for third-party verification and identification. This approach can speed up the verification and provisioning process, allowing users to become productive quickly.
You’ve taken the first steps. Now you need to partner with the right technology to close your third-party gaps and safely grant access.
Saviynt’s Third Party Access Governance (TPAG) can automate access provisioning and verification for human and non-human identities, take the guesswork out of vendor evaluation, and constantly monitor all your vendors. With Saviynt TPAG, you can:
Our risk-based creation policies can help you assess vendor risk prior to onboarding. Throughout the relationship, Saviynt can facilitate the collection of third-party non-employee data collaboratively with internal and external sources.
Saviynt TPAG can slash time, cost, and access risk by providing options for adding users via an Access Request System, bulk upload, or via federated identity systems. Self-service registration portals for third parties allow them to complete many of the onboarding tasks on their own.
Saviynt’s intelligent, out-of-the-box, customizable controls can help to identify common vulnerabilities or address specific risks unique to a particular third party. Our peer and access-based analytics can flag high-risk requests for additional review. This improves visibility and speeds remediation, all while reducing the drag on your time and resources.
Our validation framework helps ensure that all third-party organizations comply with the security standards established by your company. Saviynt’s risk and context-aware analytics and reporting can help you identify areas for improvement and get real-time visibility into third-party compliance with industry regulations and standards. Accelerate audit prep and provide full documentation with compliance reports for all regulatory frameworks, including SOX, GLBA, NIST, HIPAA, and CMMC.
In the final installment of this series, we’ll show you how to effectively delegate administration throughout the entire third-party lifecycle.