The Internet has changed how we do business. Gone are the days when access to your company’s network was only available to people physically in the office. With the rise in remote work and the extensive use of mobile devices, more people require remote access to your network – including third-party vendors.
With the growing number of cyber threats combined with the increasing amount of data companies are storing today, IT security has become complex, and ensuring secure access has become vital.
Our team at VC3 manages the networks of hundreds of businesses, so we’re no stranger to these situations. We’re frequently asked about the best way to safely grant network access to vendors.
Our recommendation is to set up a process to determine which vendors require access and what data they need, regardless of whether your system is in the Cloud or on-premise. Keep in mind that most vendors won’t need access to the whole network.
Let’s explore how to handle giving network access to vendors.
The Challenge: Giving Vendors Secure Network Access
Some vendors require access to your network and your servers to run their software, maintain their products, and troubleshoot any issues. Access is vital, but there’s a delicate balance between security and access.
A study conducted by the Ponemon Institute found that 59% of respondents confirmed that their organizations experienced a data breach caused by a third party.
Third parties (like vendors) need access, but it’s up to your IT department or managed IT services provider to enforce access policies and monitor activity to prevent a breach.
The Solution: Allow Access Through VPN
The most secure way to allow a vendor access to your business network is through a VPN.
A VPN, or Virtual Private Network, is a method to safely connect to your company server from a remote location by simulating a private network over a public network.
It does this by creating a secure tunnel that safely connects remote users to your internal network. It then authenticates and encrypts the traffic being sent and received, ensuring that only those with permission can gain access.
🔎 Related: Remote Access Without VPN is Risky Business
Access with Supervision
The best practice is to only allow a vendor access under your IT team’s supervision. This means that a member of your IT team will monitor the vendor’s activity in your network, which benefits both your company’s security and the vendor.
It assures that the vendor is only accessing resources and helps make sure that any changes the vendor makes will not negatively affect your company.
The vendor also benefits by having a member of your IT department available. Your IT professional will be able to answer any questions or provide further access if needed.
What About Full Vendor Access to My Network?
You can also provide unsupervised access to your server to a vendor. If you do, there are some precautions you should take to make sure the remote connection you give the vendor is secure.
It’s best practice to create a user account that will expire after a certain period of time. All too often, a user account is created and forgotten about. This creates a security risk as someone who doesn’t need access anymore can still get in. Setting it up to expire eliminates that risk. And if the account expires and they still need it, it’s no big deal to activate it again.
You’ll also want to limit the user permissions so they can only access the things they need. Access to your data should follow the principle of least privilege, meaning they have no more access than they need.
Have your IT department set the ground rules. Vendors who need this kind of access know the drill and will work with you. Be wary if they aren’t willing to work with your precautions. Chances are you don’t want to work with them anyway.
Lastly, make sure the vendor’s access is as-needed only. It’s better for the vendor to ask for more access than to leave your company exposed.
Are You Sure You’re Secure?
However you choose to give a vendor access, make sure that there are policies and steps in place. Work with your IT department or managed IT services provider to verify and approve vendor access so that the wrong access is not given.
If you’re not sure how your IT department handles vendor requests for network access, ask for details. If you need an objective look into how you’re managing cyber risk, contact us to schedule a security and risk assessment