In 2020, a large technology vendor that provides services to the Public Sector suffered a substantial cyber-attack that affected a significant portion of the company’s critical IT assets. More concerning, several clients of this organization reported suspicious logins to their own technology networks.
A recent survey of cybersecurity professionals showed that roughly 60% of breaches can be attributed to third-party remote access. As you know, most business need to and have permitted key business partners to access critical IT systems remotely.  This is usually done to provide fast and efficient support of these systems. It could be a vendor partner that needs to access to financials to run payroll, or perhaps a third-party IT service provider that will access systems for updates.  Regardless of the requirement, every form of remote access that is provided to an outside party is a potential risk.
As part of ongoing risk management, companies should evaluate the remote access that has been given over time to make sure any vulnerabilities are minimized.  Questions that should be asked of vendors in order to determine the level of risk include:
- Are employees of the vendor required to have complex passwords for access to the remote tool?And are passwords required to be changed on a frequent basis?
- Is multi-factor authentication required for log-ins to the remote tool by vendor staff?
- Does the remote tool have auditing and logging capabilities to review any activity that takes place using the service?
- Does somebody at the company have the ability to allow or deny remote access or is access given without any specific consent?
- Is the remote connection encrypted end-to-end?
In addition, companies should review their offboarding policies to ensure that any remote tools that may have been used by vendors (or staff) are removed when a relationship is terminated.  Remote access should only be facilitated via secure technologies that are designed to be used within a highly-secure business environment.
Evaluating remote access as part of an ongoing vendor management program can certainly help minimize the risk of unauthorized access.  If you’re currently planning your next IT Risk Assessment, I would strongly consider including as part of your evaluation an analysis of the current remote access tools to determine if changes should be made.
