How to Give Vendors Network Access Without Compromising Security
The Internet has changed how we do business, and along with everything else that your IT department does, they have the challenge of keeping your network safe. With the growing number of cyber threats combined with the increasing amount of data companies are storing today, the job of IT security has become complex, and some risky situations, like giving vendors access to your network, can get overlooked.
Our team at Accent Computer Solutions, Inc. manages networks for over 100 businesses in Southern California, so we are no stranger to these types of situations. We’re frequently asked about the best way to safely grant network access to vendors.
Our recommendation is to set up a process to determine which vendors require access and what data they need, regardless of whether your system is in the Cloud or on-premise . Keep in mind that most vendors won't need access to the whole network.
So, how do you set it up? What’s the best way to communicate the do’s and don’ts to the vendor? Let’s explore how to handle giving network access to vendors.
The Challenge: Security and User Access
Some vendors will require access to your network and your servers to run their software. In order for them to maintain their product and troubleshoot any issues, access is vital but there's a delicate balance between security and access.
Based on a study “63% of the 450 data breaches were linked to a third-party component of IT system administration” – Trustwave
Third-parties like vendors need access but it’s up to your IT department or managed IT service provider to enforce access policies and monitor activity.
The Solution: Access with Supervision
The best practice would be to only allow a vendor access under your IT team’s supervision. This means that a member of your IT team will monitor the activity that the vendor will perform in your network. This benefits both your company’s security and the vendor.
This assures that the vendor is only accessing resources that they need. It also helps make sure that changes that are going to be made will not negatively affect your company.
This, however, is a two-way street, in a great way. The vendor also benefits by having a member of your IT department available. Your IT professional will be able to answer any questions or provide further access if needed.
What About Full Vendor Access to My Network?
You can also provide unsupervised access to your server to a vendor. If you do, there are some precautions you should take to make sure the remote connection you provide the vendor is secure.
For example, only allow connections that are encrypted. A safe way to do so is with a VPN connection. This allows connection from a particular remote connection only, creating a secure tunnel to your network.
It’s also best practice to create a user account that will expire after a certain period of time. It’s all too common that a user account is created, then forgotten about. This creates a security risk that someone who doesn’t need access anymore can still get in. Setting it up to expire eliminates that risk. If the account expires and they still need it, it’s no big deal to activate it again.
In addition, limit the user permissions so they can only access the things they need. Access to your data should be on a need-to-know basis.
Have your IT department set the ground rules. Vendors who need this kind of access know the drill and will work with you. Be wary if they aren't willing to work with your precautions. Chances are you don't want to work with them anyway.
Last but not least make sure that the access the vendor has is as needed only. It’s better for the vendor to ask for more access than to leave your company exposed.
Whichever way you chose to give a vendor access, make sure that there are policies and steps set in place. Work with your IT department or managed IT services provider to verify and approve vendor access so that the wrong access is not given.
Are You Sure You're Secure?
If you're not sure how your IT department is handling vendor request for network access, go ask them about it right now. If you find that you need an objective look into how you're managing you're managing the risk of cyber crime, contact us to schedule a security and risk assessment.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.