Beware of the Plumber? Third-Party Contractors Pose Business Security Risk

The news that the massive data breach that affected Target last December may have been caused by an HVAC contractor who was connected to the retail giant's network may make small businesses consider re-evaluating the third parties that have access to their IT infrastructure, experts say.

Smaller companies, in particular, face risks when bringing on third-party vendors and consultants, said Chris Meidinger, senior sales engineer at email security provider Agari. One reason small companies face these risks is that they're not as equipped to enforce security policies on those third parties, he said.

"Larger companies are in a position to enforce stringent, expert-developed security policies on vendors," Meidinger said. "The largest companies in the world generally even issue company-owned hardware to extend their walled garden to third parties. Smaller businesses, on the other hand, are generally at the mercy of generalists, who may not be as proficient at advanced security practice. Also, smaller companies are generally priced out of the high-end market, and forced to rely on smaller pools of locally available vendors and consultants."

Many small businesses rely on third parties to provide services that their internal staff can't handle, such as IT and security. However, these third parties introduce an element of unknown to the company.

"Third parties definitely elevate the level of risk to a business," said Geoff Webb, senior director of solutions strategy with IT security firm NetIQ. "They are not well known to the company or the other employees; they may introduce risks accidentally, simply as a result of poor habits; and they typically cause changes in the way your infrastructure is used and configured, opening up risks that mistakes could lead to a breach or introduce weaknesses that did not exist before."

Of course, that doesn't mean third-party consultants and contractors are the only people exposing companies to security risks. As Webb pointed out, businesses struggle to manage the risk from their own employees. However, companies have less control over third-party employees than they do over their own staff.

Areas of risk

Therefore, when hiring third-party companies, businesses acquire two areas of risk that they may not be in a position to manage.

"In the first case, the risk is primarily that an outsider now has potential access to your sensitive data and systems — access that could be used to steal information or, as a result of lack of familiarity with systems and procedures, cause an unintentional breach," Webb said.

"In the second case, consultants inevitably bring with them their own hardware and software — laptop, tablet, phone, etc. — all of which has probably been used in another network recently," he added. "This potential lack of good software hygiene could introduce malware if not handled with sufficient care."

In addition, consultants may want to work remotely, and if your company doesn't have a lot of experience with remote employees (and smaller companies are less likely to have that experience), new security protocols — such as changes to firewall rules or VPN software configuration — might need to be put into place.

How to mitigate third-party risk

There are several best practices companies can take to mitigate the security risks introduced by third parties.

For instance, companies should employ third-party services that use strict security measures to protect their data, said Barry Shteiman, director of security strategy at data-security company Imperva.

There are a few other simple steps small business owners can take to significantly reduce their risk:

1.    Change the password on each connected device you buy. "They all ship with default passwords, and that's the first thing the bad guys look for," said Tal Klein, vice president of marketing at Adallom, a software-as-a-service security firm. "Don't rely on your contractors to be secure on your behalf; ensure that every connected device password is changed from the setting it came with."

2.    Use risk-based authentication. By making contextual access decisions, small businesses can take an extra step to ensure their users are secure. For example, if a user or third party is logging in from a new location, the system may ask for additional forms of authentication.

3.    Use multifactor authentication, which adds another layer of security. So, even if hackers obtain customer credentials from a third-party partner, they will be unable to access the service because additional forms of authentication would be required, said Mike Ellis, CEO of ForgeRock.

"It's not easy," Webb said, "but with good planning up front, and careful following of procedure, the risks can at least be managed.”

Originally published on Business News Daily.