Home » Topics » Cybersecurity » Have you left the back door open?

Have you left the back door open?

Avatar photoby Nick Ismail

In a digital world, data is constantly exchanged for various products and services.

There’s an understanding or, in many cases, an assumption, that the data that is shared is being protected.

This is not always the case. You just have to look at the plethora of global headlines highlighting the latest stories detailing security breaches or data loss.

From US retailer Target, to UK internet company TalkTalk and broadcast regulator Ofcom, we’ve seen recent threats stem from ever-evolving sources.

It’s not that companies are ignoring the risks. Many across the globe have invested heavily in solutions to bolster their security against intruders.

However, these recent breaches show that certain areas have been left exposed.

It begs the question: are these companies really treating customer data the same as they would their most prized home possessions?

>See also: Security and the threat of cybercrime is a real concern for organisations

They may have a fence, a guard dog and a patrolling drone, but is the back door still being left wide open?

There’s a shared belief that businesses entrusted with data should protect it in the same way they would protect their own homes.

With this in mind, there are some key questions that must be raised in regards to companies’ approaches to data security.

Do you know who has keys to your home, and to which doors?

The first level of home security is making sure you have locks on each of your doors, then being 100% clear you know who has access to a set of keys.

There’s a general trend amongst companies of all sizes to roll out security strategies that address widely known vulnerabilities from the outside in.

However, many are failing to recognise and implement strategies to protect from insiders and other parties, such as third party vendors, who have access to a company’s IT infrastructure.

In fact, recent research has highlighted that not all companies are 100% aware of the number of vendors accessing their IT systems – a mere 35% were confident they knew the exact numbers.

This is surprising given 69% of security professionals believe that they possibly suffered a security breach resulting from vendor access within the last year.

Third-party vendors play a vital and growing role in supporting organisations’ systems, applications, and devices.

However, they also represent a complex network that many companies are struggling to appraise and manage correctly.

>See also: The Trojan horse: 2017 cyber security trends

Giving a vendor unmanaged, uncontrolled and unlimited access is akin to handing out your keys to all of your friends (close and distant) to come and enter your home at their convenience.

You know who has the keys, but are you controlling the levels of access they have to your home?

When you hire a gardener, you allow them to access garden and certain areas of your home. You certainly wouldn’t expect to find them in areas of your house which they don’t need to carry out their job.

My point here is that although you might put your trust in people, there are parts of your home you would not feel comfortable to give them access to.

Many businesses are placing significant levels of trust in their third-party vendors by granting unrestricted access to their networks.

Often they have very little or no visibility or control over what these third parties are doing when connected to their company’s network.

Astonishingly, when asked, only 34% of companies knew the number of log-ins to their network attributed to third-party vendors.

The fact is that vendors do not need access to a company’s entire network and therefore should only been given access to specific systems or applications based on the services they provide or changes required at any point in time.

Having a legal agreement in place that also covers data security between yourself and your third party vendors is a given but it should not be relied upon as part of your own IT data security procedures.

If a hacker can compromise and pose as a legitimate vendor, they may have unfettered access to networks for weeks or even months; plenty of time to steal sensitive data or shut down critical systems.

Do you actually know what they’re doing?

With so many vendors accessing an organisation’s network on a weekly basis – on average 89 third-party vendors – it’s important that companies have visibility of which vendors are logging in when and where.

Without the ability to granularly control access and establish an audit trail of who is doing what on their network, companies cannot protect themselves from third-party vulnerabilities.

>See also: The rise of the machine: AI, the future of security

Secure access solutions that can be deployed in days and are non-invasive allow companies of all sizes to immediately gain control of vendor and employee access and spot any anomalies or potential threats.

Is it time for a new alarm system?

The security landscape is one of ever-evolving threats coming from numerous sources, which can be an ongoing headache for the CISO, CTO and the IT team.

Two-thirds of security professionals reported that they find it difficult to keep on top of this constantly changing landscape.

It’s not enough today to simply install a security system and walk away. You need a system that evolves in line with potential threats.

An up-to-date policy incorporating access controls is essential to protecting a business, much like installing the latest tech in your home.

More importantly, every policy put into place should have a corresponding strategy of enforcement and the tools that make enforcing evolving policies simple and effective.

In summary

The world is a place where data is valuable, business disruption is costly and brand image is critical.

Hackers may try and compromise your security for all of the above but in many cases ‘just because they can’ should not be under estimated.

>See also: The future of driverless cars and data security

The tenacity and intelligence of these cyber criminals is evolving.

Organisations of all sizes need to employ better strategies and solutions to secure and manage both insider and vendor access to their networks, systems and ultimately our data.

It is only through securing all access points and ensuring that the back door is firmly shut that organisations are able to truly reap the benefits of utilising third parties, enable their IT teams to be productive and harness the possibilities of today’s connected world.

 
Sourced by Stuart Facey, VP EMEA, Bomgar

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise