Cybersecurity’s Nagging Blind Spot

Why companies aren't able to successfully monitor contractors and third-party vendors

cybersecurity blind spot contractors

Companies are finally realizing that cybersecurity tools don’t make sense without enterprise-wide efforts. As such, there has been an increasing need for CISOs to foster environments that monitor and engage workforces. For instance, HR and legal teams should screen employees and detail their cyber-responsibilities. The IT department should train them how to be attendant to company standards. And all three must be aware of title or personnel changes that could trigger illegal actions.

Still, none of the above account for organizations’ biggest blind spot: contractors and other third parties. Individuals working at third-party organizations are rarely vetted by the hiring company, yet many can gain access to its sensitive information—everything from proprietary data to business strategies.

The most famous of these employees is Edward Snowden, a network analyst for Booz Allen Hamilton, which worked under contract for the intelligence agency. In this case, Snowden was the willful leak. But in other cases, the third party can be an accidental accessory. Last month, hackers stole Netflix data (specifically one of its TV series) after breaking into the networks of Larson Studios, which does work for the entertainment giant. CSO magazine also cites a recent history of third parties unwittingly playing parts in the data breaches of a fast-food company, large discount chains, pharmacies, and medical centers.

A 2016 Ponemon report estimated that companies spent an average of $10 million in a year, responding to third-party breaches. This, of course, doesn’t include less tangible, but pricier damages, such as compliance violations, lawsuits, and damaged business.

Many employers are silently freaking out. A Market Pulse Survey revealed that 86% fear they have weak visibility of contracted workers’ access to the corporate network. Another study claims that 63% of all breaches can technically be linked to contractors, suppliers, or vendors. This is a terrifying security gap that, in particular, plagues high-tech companies with large attack surfaces to protect, such as complex supply chains.

Outside, third-party activity can bypass firewalls and elude SIEMs, getting lost in the flurry of false positives associated with the latter. This is especially true when it comes to privileged-account escalation, or thieves leveraging stolen credentials to gain access to greater credentials.

In response, some savvy legal and HR teams have implemented security measures in their contracts with third-party companies, requiring risk/system assessments and limiting network access to workers. This is a terrific first step. But ultimately, the enterprise must still equip itself with an analytics-based platform that can spot even nuanced breaches, halting attacks if existing protocols fail.

In other words, enterprises must embrace true visibility: factoring third parties into their own security profiles.