THIRD-PARTY REMOTE ACCESS: CHALLENGES FOR ENTERPRISES AND TECHNOLOGY VENDORS

Transcription

1 THIRD-PARTY REMOTE ACCESS: CHALLENGES FOR ENTERPRISES AND TECHNOLOGY VENDORS

2 Overview According to data from the nonprofit ID Theft Resource Center, there have been more than 500 data breaches and more than 7 million records exposed since the beginning of 2018 through the beginning of June. At that rate, 2018 will experience nearly 1,300 data breaches by the end of December. IBM, in a recent study, estimated that a US-based data breach costs on average $7.3 million dollars (for healthcare organizations, that number quickly scales up to $12 million). A quick back of the envelope calculation suggests that data breaches have potentially had a more than $3 billion impact on businesses and organizations already in That s a lot of money. And the costs are more than just financial. Data breaches erode the public s trust, create havoc on internal teams attempting to clean up the mess, and potentially expose an organization to liability and litigation concerns. The issues aren t going away anytime soon. There s also industry data that suggest somewhere between 50% 60% of data breaches can be attributed to a third party (e.g., vendors, business associates, contractors, etc.). In other words, someone or some business that accesses an enterprise organization s network that is not an employee. Third parties are essential to keep any organization up and running from performing routine maintenance to specialized tasks. But they also pose the greatest security risk to an enterprise organization s network. There are lots of good studies from a variety of sources that look at the issue of secure remote access from the enterprise perspective. We wanted to take a different approach and look at the issue from both the enterprise perspective AND the third-party perspective in other words, a more holistic view of the ecosystem. We believe this study adds something of value to the literature that already exists. We set out to answer the following questions: How important is third-party remote access? How does third-party remote access differ for enterprise organizations and vendors? How are enterprise organizations and vendors handling third-party remote access? What matters most when it comes to third-party remote access? We worked with an outside research firm, Edge Research, to conduct online surveys with 417 IT and security decision makers from enterprise organizations in highly regulated industries (healthcare, banking, finance, government, retail, etc.) and third-party vendors from February 20, 2018 March 13, Here s what we discovered. 2

3 Key Findings Securing third-party remote access is a top priority for enterprises Enterprise organizations recognize secure remote access as an issue for both internal employees and external third parties. Securing third-party remote access is a top three priority for enterprises. Complying with industry regulations is the number one priority for enterprises 64% of enterprise organizations listed compliance as their number one priority, while 90% of organizations surveyed are subject to regulatory compliance reporting. Customer compliance is the number one priority for vendors The main concern around remote access for vendors is ensuring compliance with customer requirements (82%), while 92% of vendors surveyed support enterprises that are subject to federal regulatory compliance reporting. Enterprise organizations manage multiple vendors On average, enterprise organizations manage 67 vendors with the majority (90%) managing multiple individual vendor users. Enterprise organizations are looking for a single solution when it comes to third-party remote access For managing third-party remote access, 45% of enterprise organizations use a single solution while one-third (33%) use three or more solutions. Vendors manage hundreds of customers and use multiple solutions to support them On average, vendors support 239 customers and, by and large, use multiple solutions to access customer networks. Nearly half (47%) use three or more solutions, while only 29% use a single solution. 3

4 SECTION 1 The Issue with Secure Remote Access Enterprise organizations are concerned about remote access to their network whether it s employee access or thirdparty access. The surface area of access (and, by extension, attack) has increased dramatically in the last few years, especially as Internet-connected devices continue to proliferate. By some estimates, in North America alone, we will have 10+ Internet-connected devices per person by And while the number of business devices connecting to an enterprise network might be slightly fewer per person, the impact is no less significant. It s no surprise this is one of the top issues that keep CIOs and CISOs awake at night. From an enterprise organization s point of view, Figure 1 shows that internal employees (22%) and external vendors (20%) are perceived to pose similar risk, while both combined are perceived to present equal risk (57%). Any way you slice it, remote access poses risk. Figure 1: Perceived Risk by Internal Employees vs. Third Party Vendors 20% External vendors 57% Both equally 22% Internal employees 1% Don t know 4

5 When it comes to identifying priorities for managing secure remote access, enterprise organizations view industry compliance (64%), securing third-party network access (63%), and securing privileged credentials (63%) as the top priorities. For vendors, complying with customer requirements (82%) is the single most important priority followed by mitigating risk and liability while connecting to customer networks (66%). Figure 2 shows the top priorities for both enterprise organizations and vendors regarding secure remote access. Figure 2: Secure Remote Access Priorities for Enterprise Organizations and Vendors Top Enterprise Priorities for Managing Access Top Vendor Priorities for Accessing Customer Networks Complying with industry regulations 64% 82% Complying with customer security requirements Securing privileged credentials 63% 66% Mitigating risk and liability while connecting into our customer networks Securing third-party network access 63% 49% Monitoring customer systems to proactively address issues Controlling employee access to privileged systems, enforcing least privileged principals 53% 35% Automating support related functions such as patches, pulling log files, or running queries Monitoring and auditing privileged sessions 45% 33% Streamlining and simplifying network access methods Streamline managing third-party network access 30% 5

6 SECTION 2 Managing Third-Party Remote Access Not surprisingly, the challenges faced by both enterprise organizations and the vendors that support them align closely with their priorities. Figure 3 looks at the top remote access challenges for enterprises and vendors. For enterprises, this includes assurance that third parties are complying with security policies and requirements (43%), third-party access to only what is needed (35%), and managing third-party access in compliance with regulatory requirements (34%). For vendors, this includes reducing potential liabilities by ensuring a secure, auditable connection each session (47%); accountability/traceability of support s actions when accessing customer systems (38%); allowing support reps to gain access to the customer network without need for support and oversight from the customer s IT group (34%); and managing many different access solutions (34%). Figure 3: Remote Access Challenges for Enterprises and Vendors Enterprises Vendors Assurance that third parties are complying with security policies and requirements 87% 43% 44% 91% 47% 44% Reducing potential liabilities by ensuring a secure, auditable connection each session Third-party access to only what is needed 86% 35% 52% 85% 38% 47% Accountability/traceability of support s actions when accessing customer systems Managing third-party access in compliance with regulatory requirements 85% 34% 51% 89% 34% 55% Allowing support reps to gain access to the customer network without need for support and oversight from the customer s IT group Tracking/auditing third-party access, activity 86% 33% 53% 79% 34% 45% Managing many different access solutions Ability to audit/track individual rep activity 85% 32% 53% 87% 32% 55% Inefficient/cumbersome to connect with customers to resolve issues quickly Major challenge / Minor challenge 6

7 Specifically in relation to third-party remote access, both enterprises and vendors are dealing with lots of moving parts. On average, enterprise organizations manage 67 vendors and each of those vendors has multiple individuals that access an enterprise s network. The result is thousands of third parties accessing a network at any given time. For vendors, the numbers are even bigger. On average, they support 239 customers. That s potentially a hockey arena full of people either being managed by an enterprise or supporting a customer via remote access to a network. And that s just one organization. Figure 4 looks at the number of vendors managed and customers supported. Figure 4: Vendors Managed and Customers Supported Enterprise Average Number of Vendors 67 Vendors Average Number of Clients 239 7

8 SECTION 3 Compliance Matters to Everyone Not surprisingly, as scrutiny increases, compliance with industry regulations whether it s HIPAA, Sarbanes-Oxley, PCI:DSS, NERC/FERC, etc. is the top priority or one of the most important (89%) for enterprise organizations when it comes to remote access. Compliance with customer requirements is the top priority or one of the most important (97%) for vendors. Industry regulators are starting to crack down harder on organizations that have experienced data breaches. A 5-minute Google search reveals the SEC s recent $35M fine of Altaba (formerly Yahoo!) for failure to disclose a data breach in 2014, Alabama recently passed a state law that fines will be levied if your data is breached, and the European Union says new fines will apply to old data breaches. Figure 5 shows the importance of compliance for both enterprise and vendor organizations. Figure 5: Importance of Industry and Customer Compliance Enterprise Top Priority or One of the Most Important Vendor Top Priority or One of the Most Important 89% 97% Being in the medical industry you fall under HIPAA and SOX and there s all kind of other crazy regulatory groups that kind of govern you and you come in and do all these really intense audits all the time. System Engineering Manager Medical Device Company Being a government agency, we really have to be careful about documenting our decisions. Chief Information Officer Government Agency HIPAA and FERPA, they kind of share the same realm of paranoia but they re very different. IT Systems Analyst Community College 8

9 SECTION 4 Technology Insights There are a variety of technology solutions both enterprise organizations and vendors use for remote access some pose a greater security risk than others. By and large, enterprise organizations are looking for a single solution when it comes to managing third-party remote access and many of them have only one (45%), while vendors rely on multiple solutions in some cases three or more (47%) to support customers. Figure 6 shows the number of solutions used by both enterprise organizations and vendors to manage third-party remote access. The data also show a discrepancy in the way enterprises and vendors approach third-party remote access, with enterprises leaning toward a single solution and vendors leaning toward multiple solutions which suggests a potential misalignment between enterprises and vendors when it comes to third-party remote access. Figure 6: Number of Solutions Used to Manage Third-Party Remote Access Enterprise and Vendor Enterprise Vendors VPN + Other Solution 37% 47% Single Solution 45% 29% Two Solutions 22% 24% 3 or More Solutions 33% 47% 9

10 FOCUS Healthcare Healthcare organizations are prime targets for data breaches, hackers and phishers. Different industry research typically reaches the same conclusion, that healthcare records are the most valuable ranging anywhere from $200 $400 a record, which is up to 10X more than credit card data. While the healthcare industry aligns with the data we have seen throughout the report, IT and security professionals in healthcare feel even more strongly about many of the topics we have discussed particularly compliance. For example, while, on average, all the enterprise organizations in our dataset manage 67 vendors, healthcare organizations manage 79 vendors. Complying with industry regulations jumps to 67% as the top priority (vs. 64% for the larger group). Assurance that third parties are complying with security policies and requirements (44%), and tracking and auditing third-party access and activity are the top 2 challenges (38%) identified by healthcare organizations. Even more healthcare organizations are using a single solution (47%), while securing third-party network access is also a top priority (63%). The table below highlights the challenges and priorities for healthcare organizations around third-party remote access. Number of Vendors Managed Top Priority: Industry Compliance Top Challenge: 3rd-Party Compliance with Security Policies Single Solution Used All Enterprise Organizations 67 64% 43% 45% Healthcare Organizations 79 67% 44% 47% 10

11 SECTION 5 So, Where do We Go from Here? Almost weekly, we hear news of another data breach or ransomware attack. Regulators are getting much heavier handed when it comes to fines and punishment. Organizations are concerned (both the enterprises and the vendors that support them) and looking for solutions. And this concern isn t confined to a single industry all industries are affected, even if healthcare has the biggest target on its back. Use this study to assess the priorities and challenges within your own organization whether you re an enterprise managing multiple vendors or a vendor supporting multiple enterprises. Do the things that keep you awake at night align with the things that keep your peers awake at night? Are you using multiple solutions to manage third-party remote access, or are you using a single solution? Are you compliant with industry regulations or with your customer requirements? We know you will take something valuable from this study and use it to move your organization forward. Below are some tips and suggestions on how to get the most out of this data. Assess your current technology Enterprise organizations are looking more and more to streamline the management of third parties accessing their network by identifying a single solution fit for purpose. For enterprises, look at your current mix of solutions and see where consolidation can happen that will ease the administrative burden. For vendors, assess whether you are putting extra burden on your clients by asking them to use a solution they don t typically use. Is there an easier way to support all your customers with a single solution? More importantly, is your solution or the solutions you re considering good enough to do the job? For something as important as securing your network for third-party access, good enough is typically not sufficient to ensure a protected network. Look at platforms built for purpose when considering your network security needs. Look at access policies and procedures The best technology in the world won t help you if you don t have realistic policies and procedures in place. Tier your systems and vendors. Look at your current roster of vendors and determine which are the highest priority and which pose the greatest risk. Create different levels of access and accountability requirements that reduce risk and make vendor access easier to manage. Also, educate employees about security and phishing attacks, use multi-factor authentication, enforce reasonable password rules, and keep your software updated. Understand what compliance means Compliance is the top priority for both enterprises and vendors understand what that means. For enterprise organizations, be familiar with the different industry regulations and requirements to ensure your technology is meeting and addressing those needs. For vendors, get clarity from your customers in terms of their needs so you can ensure compliance with their requirements. One simple misunderstanding can lead to massive repercussions. Get on the same page with your vendor or customer when it comes to third-party remote access tools Enterprises are looking for a single solution; vendors are using multiple solutions. A disconnect exists between both sides of the third-party remote access divide that will leave one or both parties exposed and vulnerable. For enterprises, be clear how you want vendors to access your network to ensure they are using the tools and technologies that ensure compliance and improve security. For vendors, engage enterprises you support up front to get clarity on how and when you can access the network to help ensure compliance with customer requirements and mitigate your own risk. 11

12 About SecureLink SecureLink is a pioneer and leader in thirdparty remote access. For highly-regulated enterprise organizations, SecureLink Enterprise is the only purpose-built secure remote access platform to identify, control, and audit third-party vendors. For technology vendors, SecureLink for Vendors is the gold standard remote access platform because it is easy, efficient, and helps reduce liability when supporting customers. For both enterprises and vendors, a SecureLink solution is the most secure option for third-party remote access contact@