This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyberattacks.
The following is an interview we recently had with David Pignolet, Founder and CEO of SecZetta.
From the SolarWinds cyberattack that compromised sensitive information of Fortune 500 companies and government agencies, to the ransomware attack on Colonial Pipeline that halted the flow of oil and gasoline across the Eastern Seaboard, and JBS Foods, another ransomware attack temporarily halting about 20% of beef production in the United States, the last few months have exposed just how vulnerable our nation and in particular critical infrastructure and OT environments are to cyberattacks.
As our world becomes more digital, interconnected, and perimeter-less in terms of where and how companies conduct business, identity needs to be at the center of every organization’s security strategy. We often hear, “hackers don’t break-in, they log in.” Unfortunately, most organizations lack an authoritative source, a key data resource for information that is used to make well-informed decisions about access, for their external workforce or “third parties.” While they grant access to their internal workforce based on their knowledge of each employee, they often have little to no information about the individuals from their external workforce (third parties like vendors, partners, freelancers, supply chain, etc.) yet readily grant them access to the same systems and data.
The continuous increase in high-profile cyberattacks has shown how easy it is for bad actors to infiltrate an organization’s data security infrastructure. Many of these attacks can be linked to an organization’s inability to properly manage access to its systems and data by third-party non-employees including contractors, partners, supply chains, and even non-human workers like Bots, and RPA.
According to Ponemon Institute, 51% of organizations have experienced a data breach due to a third party, and a SecZetta survey found 83% of U.S. adults believe organizations are more vulnerable to cyberattacks because of their reliance on third parties. To strengthen their resilience to cybercrime, organizations must manage the identity lifecycle and risk of third-party workers with the same or greater diligence as their employees and ensure zero-trust policies extend to third-party users.
As organizations continue to move forward with their digital transformation initiatives, we can expect to see more cyberattacks that compromise “non-human” worker access. This situation is particularly high risk for organizations as there is often an exponential number of Bots, IoT devices, and RPA that are granted access compared with their human counterparts, and this access is typically privileged – making it much more valuable to a cybercriminal.
Additionally, the total number of human and non-human third-parties that are granted access is dramatically expanding the size of an organization’s attack surface, giving cybercriminals a much larger target.
Without an authoritative source of information for third-party individuals, organizations often don’t actually know who they have given access to; they grant excessive levels of access; provide access to high-risk individuals, and do not remove access once it is no longer needed. What makes this scenario even more problematic for organizations is the scale of the issue. The number of third-party individuals who have access at some organizations is actually exponentially greater than their number of employees. This creates a massive attack surface for bad actors and as a result, almost immeasurable risk for the organization.
Know Your Third-Party Workforce: According to a 2021 Ponemon Institute study, 65% of organizations have not identified the third-parties with access to the most sensitive data of the organization.
Audit Those with Access: Organizations should conduct regular comprehensive user audits to ensure that users have access based on the least privilege, meaning the appropriate privileges for the appropriate resources at that specific point in time. It is also important to search for and remove active accounts for users who no longer need access.
Conduct Risk Ratings and Adjust Privileges Appropriately: While an organization may have carefully reviewed the security controls of a new partner or vendor, they must also assess the risk of each employee from those organizations who request access before access is granted. Risk rating should be a continuous process as risk factors, individual characteristics, and access needs evolve.