Recent security breaches have been attributed to a compromise at a third-party contractor. Attackers were able to exploit the trust between the two organizations to attack the larger company. You have to be cautious about whom you trust, and whom they trust.
It’s actually a sort of variation on the age-old bank robber strategy. In old Westerns and gangster movies, the crooks would set up shop next door or across the street and tunnel under the bank to get to the vault. It is certainly less overt than walking through the front door, but highly tedious and impractical. The cyber equivalent, however, is much easier to execute.
Your organization may have best-of-breed security tools in place, follow security best practices, and have employees who understand and follow established security policies. But if your network is connected to partners, vendors, or third-party contractors, hackers can leverage those relationships to gain access to your systems. The weakest link in your security chain may be the trust you have with companies and networks outside of your company.
The question, then, is how you’re supposed to defend yourself. Well, there are a couple of strategies you should adopt.
First, you should have policies and minimum security requirements in place for any company you choose to trust and grant access to your network. You need to do some due diligence and ensure that the companies you trust have security controls in place that meet your standards, since, by association, their network will be an extension of yours. For greater security, you should go a step further and require the organizations you trust to vet their third-party trusts in the same manner, and/or let you have some oversight or input into any trust relationships they establish.
The second thing you should do is use discretion regarding what, exactly, the third-party trusts you set up have access to. Be discriminating about which servers, folders, files, and services third-party organizations are authorized to use—access should only be granted on an as-needed basis.
Finally, you should have all of your sensitive systems and data adequately protected against unauthorized access. However, if a user is compromised, the attack may be executed using credentials that have authorized access, so you need tools in place to monitor authorized access and identify anomalous or suspicious activity, as well.
There is no absolute security, and there is no silver-bullet solution. If you’re vigilant about your own security, though, and you’re cautious about which organizations you trust to access your network, you can avoid most security breaches.