Have you left the back door open? asks Stuart Facey, pictured, VP EMEA, at the remote desktop access and password storage software firm Bomgar. He writes of why companies should be securing their data with the same determination as they would with their own homes.
In a digital world, we are constantly sharing data in exchange for various products and services. There’s an understanding or, in many cases, an assumption, that the data we are sharing is being protected. This is not always the case. We just have to look at the plethora of global headlines highlighting the latest stories detailing security breaches or data loss. From US retailer Target, to UK internet company TalkTalk and broadcast regulator Ofcom, we’ve seen recent threats stem from ever-evolving sources.
It’s not that companies are ignoring the risks. Many across the globe have invested heavily in solutions to bolster their security against intruders. However, these recent breaches show that certain areas have been left exposed. It begs the question: are these companies really treating customer data the same as they would their most prized home possessions? They may have a fence, a guard dog and a patrolling drone, but is the back door still being left wide open?
There’s a shared belief that businesses entrusted with data should protect it in the same way they would protect their own homes. With this in mind, there are some key questions that must be raised in regards to companies’ approaches to data security.
The first level of home security is making sure you have locks on each of your doors, then being 100per cent clear you know who has access to a set of keys.
There’s a general trend among companies of all sizes to roll out security strategies that address widely known vulnerabilities from the outside in. However, many are failing to recognise and implement strategies to protect from insiders and other parties, such as third party vendors, who have access to a company’s IT infrastructure. In fact, recent research has highlighted that not all companies are 100 per cent aware of the number of vendors accessing their IT systems – a mere 35 per cent were confident they knew the exact numbers. This is surprising given 69 per cent of security professionals believe that they possibly suffered a security breach resulting from vendor access within the last year.
Third-party vendors play a vital and growing role in supporting organisations’ systems, applications, and devices. However, they also represent a complex network that many companies are struggling to appraise and manage correctly. Giving a vendor unmanaged, uncontrolled and unlimited access is akin to handing out your keys to all of your friends (close and distant) to come and enter your home at their convenience.
You know who has the keys, but are you controlling the levels of access they have to your home? When you hire a gardener, you allow them to access garden and certain areas of your home. You certainly wouldn’t expect to find them in areas of your house which they don’t need to carry out their job. My point here is that although you might put your trust in people, there are parts of your home you would not feel comfortable to give them access to.
Many businesses are placing significant levels of trust in their third-party vendors by granting unrestricted access to their networks. Often they have very little or no visibility or control over what these third parties are doing when connected to their company’s network. Astonishingly, when asked, only 34 per cent of companies knew the number of log-ins to their network attributed to third-party vendors.
The fact is that vendors do not need access to a company’s entire network and therefore should only been given access to specific systems or applications based on the services they provide or changes required at any point in time. Having a legal agreement in place that also covers data security between yourself and your third party vendors is a given but it should not be relied upon as part of your own IT data security procedures. If a hacker can compromise and pose as a legitimate vendor, they may have unfettered access to networks for weeks or even months; plenty of time to steal sensitive data or shut down critical systems.
With so many vendors accessing an organisation’s network on a weekly basis – on average 89 third-party vendors – it’s important that companies have visibility of which vendors are logging in when and where.
Without the ability to granularly control access and establish an audit trail of who is doing what on their network, companies cannot protect themselves from third-party vulnerabilities. Secure Access solutions, such as those from Bomgar, that can be deployed in days and are non-invasive allow companies of all sizes to immediately gain control of vendor and employee access and spot any anomalies or potential threats.
Time for a new alarm?
The security landscape is one of ever-evolving threats coming from numerous sources, which can be an ongoing headache for the CISO, CTO and the IT team. Two-thirds of security professionals reported that they find it difficult to keep on top of this constantly changing landscape. It’s not enough today to simply install a security system and walk away. You need a system that evolves in line with potential threats. An up-to-date policy incorporating access controls is essential to protecting a business, much like installing the latest tech in your home. More importantly, every policy put into place should have a corresponding strategy of enforcement and the tools that make enforcing evolving policies simple and effective.
In summary
We are in a world where data is valuable, business disruption is costly and brand image is critical. Hackers may try and compromise your security for all of the above but in many cases ‘just because they can’ should not be under estimated. The tenacity and intelligence of these cybercriminals is evolving. Organisations of all sizes need to employ better strategies and solutions to secure and manage both insider and vendor access to their networks, systems and ultimately our data. It is only through securing all access points and ensuring that the back door is firmly shut that organisations are able to truly reap the benefits of utilising third parties, enable their IT teams to be productive and harness the possibilities of today’s connected world.
