Cyberattacks have been steadily rising in the last several years, yet appear particularly prominent as of late, with several high-profile cases making national headlines by not just affecting the breached organizations but having wide-ranging effects on everyday individuals. David Pignolet, founder and CEO of third-party identity management leader SecZetta, today shared his perspectives on the rise of cyberattacks in the U.S. and what organizations can do to better safeguard themselves from these looming threats.
David Pignolet’s Statement:
“From the SolarWinds cyberattack that compromised sensitive information of Fortune 500 companies and government agencies, to the ransomware attack on Colonial Pipeline that halted the flow of oil and gasoline across the Eastern Seaboard, and JBS Foods, another ransomware attack temporarily halting about 20% of beef production in the United States, the last few months have exposed just how vulnerable our nation and in particular critical infrastructure and OT environments are to cyberattacks.”
As our world becomes more digital, interconnected, and perimeter-less in terms of where and how companies conduct business, identity needs to be at the center of every organization’s security strategy. We often hear, “hackers don’t break in, they log in.” Unfortunately, most organizations lack an authoritative source, a key data resource for information that is used to make well-informed decisions about access, for their external workforce or “third parties.” While they grant access to their internal workforce based on their knowledge of each employee, they often have little to no information about the individuals from their external workforce (third parties like vendors, partners, freelancers, supply chain, etc.) yet readily grant them access to the same systems and data.
Without an authoritative source of information for third-party individuals, organizations often don’t actually know who they have given access to; they grant excessive levels of access; provide access to high-risk individuals; and do not remove access once it is no longer needed. What makes this scenario even more problematic for organizations is the scale of the issue. The number of third-party individuals who have access at some organizations is actually exponentially greater than their number of employees. This creates a massive attack surface for bad actors and as a result, almost immeasurable risk for the organization.
Steps organizations can take today:
Know Your Third-Party Workforce: According to a 2021 Ponemon Institute study, 65% of organizations have not identified the third-parties with access to the most sensitive data of the organization.
Audit Those with Access: Organizations should conduct regular comprehensive user audits to ensure that users have access based on the least privilege, meaning the appropriate privileges for the appropriate resources at that specific point in time. It is also important to search for and remove active accounts for users who no longer need access.
Conduct Risk Ratings and Adjust Privileges Appropriately: While an organization may have carefully reviewed the security controls of a new partner or vendor, they must also assess the risk of each employee from those organizations who request access before access is granted. Risk rating should be a continuous process as risk factors, individual characteristics, and access needs evolve.
SecZetta is the leading provider of third-party identity management solutions. Our solutions enable organizations to execute risk-based identity access and lifecycle strategies for diverse non-employee populations. Because the solution suite is purpose-built, it’s uniquely able to manage the complex relationships organizations have with non-employees in a single, easy-to-use application that simultaneously helps facilitate commercial initiatives, support regulatory compliance, and reduce third-party risk. For more information about SecZetta visit https://seczetta.com/.