Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.

Hidden Exposure: Protecting Your Business with Third-Party EPLI

Coffee shop
In today’s increasingly litigious society, harassment and discrimination are trending upward. To protect your business from workers’ claims, including wrongful termination, breach of employment contract, wrongful discipline, failure to employ or promote, sexual harassment and discrimination, you likely have employment practices liability insurance (EPLI) in place.

But if your employees frequently deal directly with the public, there may be a glaring gap in your coverage. Your business and workers may also be at risk for harassment or discrimination claims from a customer, client, supplier, vendor or visitor. The bad news: these types of claims are not covered by commercial general liability insurance or standard first-party EPLI.

To protect your business from customer or client allegations, third-party EPLI is the answer.

The types of wrongful acts typically covered by third-party EPLI are discrimination and harassment. Discrimination can include claims based on nationality, sex, disability, age, race, religion, pregnancy or sexual orientation. Harassment can take on many forms, such as unwelcomed sexual advances, requests for sexual favors, and other types of verbal or physical abuse. Third-party EPLI reimburses your company for court and legal fees, as well as any settlements between the business and the accuser.

Third-party EPLI may be appropriate if you frequently meet with clients or deal with vendors. And it is absolutely essential for businesses that interact with the public. Examples include large customer service teams, cable television installers, contractors, restaurant, hotel and transportation workers, and real estate agents.

For example, a customer sued a New Jersey gas station after being sexually assaulted by an attendant who was filling up her car. The woman claimed the station attendant made inappropriate advances, performed a lewd act and touched her while she was buying gas, according to The woman also claimed that another employee at the gas station did nothing to prevent the incident or intervene during it.

In another example that made national headlines, thousands of African American patrons of Denny’s restaurants claimed they were refused service, were forced to wait longer, had to prepay for food, or pay more for food compared to white customers, the New York Times reported. These claims, which totaled 4,300 and spanned several years across multiple states, culminated in a class-action lawsuit against the national restaurant chain. Denny’s settled the suit in federal court, and members of the class-action suit were awarded $54 million for damages.

Starbucks was sued in federal court by a group of 12 deaf customers who said they were mocked and mistreated at a coffee shop in New York City. The group claimed being harassed multiple times because of their disability. During one instance, a Starbucks employee called the police in response to a group of deaf patrons who met at a Starbucks to hold their monthly Deaf Chat Group, although the patrons were paying customers, according to USA Today. The police apologized to the patrons and reprimanded the employee for calling the police when there was no illegal conduct.

As you can see, the level of interaction a company has with those who might claim a wrongful act, and the industry in which you operate, can affect the cost of third-party EPLI. Other factors come into play as well, like whether you’ve been sued in the past over employment practices.

While third-party EPLI helps defray the cost of lawsuits and judgments brought against your business, one thing it doesn’t protect is your reputation. Therefore, forward-thinking employers are doing more than just purchasing a third-party EPLI policy; they’re also taking steps to make it less likely they will have to use that policy. Effective training and education, no matter your level of exposure, can help prevent claims of wrongful acts against your business or employees. Creating training programs to educate employees on what constitutes harassment and discrimination, as well as putting processes in place about what to do in the event of an allegation, are good starting points.

When screening and hiring new employees, it is essential to create programs that help your hiring team vet candidates solely on their qualification for the job. Documenting your process helps everyone understand the requirements and will provide backup should issues arise.

It’s also a good practice to display all corporate policies as they relate to hiring and worker conduct in employee handbooks so the policy is available to everyone and can be reviewed when necessary. Many companies also ask employees to sign a document affirming they have read the employee handbook.

Unfortunately, all of the education and training in the world can’t stop a customer or vendor from claiming harassment or discrimination by one of your employees. But a carefully developed third-party EPLI plan that assesses your exposure and helps you completely cover your business can minimize your risk.