Prevent security breaches from third-party apps
Are we too trusting? Earlier this year, Security Magazine referenced a study revealing that 82% of companies allow third-party app vendors access to all their cloud data; 76% of companies give third-party app partners access to security roles that allow for full account takeover. But the study’s most troubling discovery is the 90% of cloud security teams who were unaware of the unrestricted — and unnecessary — permissions granted to third-party app vendors.
So, how worried should we be?
Why you should worry: a case study on SolarWinds
The latest trend in cybercrime exploits third-party app vendors — and their excessive permissions — to access and steal protected data. The highly publicized SolarWinds hack is the most sensational example. SolarWinds is a publicly traded company that builds enterprise-level management software for IT networks. It was a popular third-party app used by multiple government and private sector organizations.
Early in 2020, cyberterrorists hacked the SolarWinds base code and deposited malware that piggybacked on software updates the company sent to its roughly 33,000 customers. Once installed, the malicious code infected other programs in each customer’s network. SolarWinds software was widely used by government entities — the Pentagon, the Treasury Department, and Homeland Security — and Fortune 500 companies — Microsoft, Cisco, and Deloitte. Hospitals, universities, and large consulting firms were also attacked. According to the Wall Street Journal, “Since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not.”
The SolarWinds incident spotlights the urgent need to prioritize cybersecurity management of third-party applications in every organization.
The state of third-party app security
Only 4% of organizations have avoided using any third-party apps in their IT environments. The rest virtually give away the store rather than manage app-related security risk. But popular vendor policies (e.g., the AWS ReadOnlyAcess policy) grant overly broad permissions, amplifying cybercrime exposure for both vendor and client. According to the Security Magazine article, “In the majority of cases these permissions are there for no reason: the vendor doesn’t actually need them, and the customer team isn’t even aware that they gave them to the vendor.”
The cybersecurity implications are vast and potentially disastrous, and the risk isn’t limited to enterprise organizations. Small and midsize businesses (SMBs) are just as vulnerable and less likely to weather the financial and reputational storm that follows a cybersecurity incident. One survey showed 58% of small and midsize business executives place potential data breaches higher on their list of concerns than physical facility break-ins, fire, or flood.
The risk is real, and third-party app users are right to worry. But what can they do about it?
Third-party app security management
Cybersecurity exposure increases with every additional remote access point and/or third-party vendor. These vendors add value by developing digital tools — saving organizations the cost of creating proprietary apps. But remote services vendors create a threat vector every time they access your data. Mitigate security threats with a vendor risk management (VRM) program that monitors vendors, their applications, and every digital interaction with your data. In one survey, only 40% of respondents have fully developed VRM plans in place.
Advanced VRM programs evaluate third-party apps for potential cybersecurity risks and proactively prevent data breaches. VRM development is a useful exercise. The end product will reduce risk, but the planning process has the added benefit of raising cybersecurity awareness within your organization. It also helps you monitor vendor compliance with regulatory statutes (e.g., HIPAA, PCI DSS, GDPR, and OCC).
Guidelines for creating a VRM program should include:
- Develop a plan with well-defined roles and rules. Create a team to manage third-party vendor security compliance. Have them build a database of your existing third-party app vendors.
- Establish policies and procedures for regular audits of third-party app vendors. Review contractual agreements and analyze the quality of service each vendor delivers. Pay close attention to data access permissions and activity.
- Use reporting and analytics to track control mechanisms for third-party apps. Include access and permissions, and evaluate how your team uses third-party tools (i.e., remote versus onsite employees).
- Consolidate remote access software to narrow the threat vector.
- Create a remediation plan for mitigating third-party breaches. Make the best use of tools already in place. Add comprehensive cybersecurity training and regular data breach drills.