Would you let 89 people access your home computer network every week without a strong verification system proving they, and processes they used to do so, were trustworthy? Would you want to know if they were passing their access to your home computer network on to others? And, that the equipment they themselves use is secure?
The likelihood is that the answers would be “No” to the first, and if “Yes”, then it would be “Yes” to the rest of the questions. You wouldn’t give people access without strong verification. You would want to know what is going on…at all times.
However, according to the research recently conducted by Bomgar in their “Vendor Verification Index” * this is exactly what is happening across industries around the world: On average, 89 vendors are accessing a company’s network every single week.
Just under half (44%) of those surveyed reported an ON/OFF approach to vendor access, rather than employing varying levels of access for different vendors.
This equates to roughly every other company simply welcoming vendors into their entire network or shutting them out completely. This is a wildly risky approach. Most vendors do not need access to the entirety of your network, and vendors should only be given access to specific systems or applications based upon the services they provide to your organization. This should be supplemented with bespoke logins, company credential policies and secure remote access tools.*
Note: The Index was produced on the basis of responses from 608 decision-makers involved in the processes that allow external parties to connect to a company’s internal systems. The responses include a wide range of industries including retail, manufacturing, healthcare, the public sector and others, based in the UK, the US, Germany and France.
Trust and don’t verify?
Some of the most striking findings shine a light on the gap between the degree of trust in vendors, and the systems on which the trust is based, giving the impression that people are, for the most part, worried and acknowledge that they hope their companies will not be affected by breaches such as these:
Last year’s hack of the federal Office of Personnel Management (OPM), for example, was made possible when hackers obtained a credential used by KeyPoint Government Solutions, a third-party contractor that conducts background investigations of applicants for federal jobs that require a security clearance….**
Supply chain integration
The explosion of outsourcing is now so widespread and complex that many companies find it hard to stay aware of exactly who their vendors are, especially when multiple supply-chain tiers can significantly impact material characteristics.
Unless they have invested in a system that includes supply chain visibility, they may have no idea of who supplies the 1st tier, and who, in turn supplies those suppliers. In short, they don’t really know who is feeding their manufacturing processes. They assume that the 1st tier is managing all their suppliers in a responsible way, and that supplier makes the same assumption about their own 1st tier suppliers.
The infamous Target data breach in 2013 started when hackers stole a network login from an HVAC contractor working for Target Corporation. According to the investigation, an HVAC supplier to Target, Fazio Mechanical Services, created the breach by activating a phishing e-mail. They didn’t detect the malware because they were using a free malware detection program (geared to individuals) with no real-time protection. As a result, an intruder was able to steal the vendor’s credentials and use them to access the company’s payment systems.
Many are placing too much trust in the vendors they work with. An astonishing 92% of respondents say they trust vendors completely or most of the time. But there is a growing realization that, when granting a vendor access to your network, this decision needs to be based on more than just blind faith.
Cyber protection experts now say that well-organized hackers routinely research the contractors/suppliers of companies, to look for electronic access points where the company may be vulnerable. The Vendor Vulnerability Index brings to light some eye-opening statistics that should change these perspectives. Additionally,
More than two-thirds (67%) of respondents believe that they tend to trust vendors too much. Organizations need robust controls and checks to mitigate the security risk of vendors. Do you know what technology and tools third- parties are using to access your networks? Can you see when they’re accessing your systems and what they’re doing? Are your vendors sharing simple passwords among employees or employing security best practices, such as multifactor authentication and credential rotation?
In the current climate, it is no longer enough to simply trust that a vendor has the security policies in place to defend against threats.***
Hard choices: integration or security?
On the one hand, using all the state-of-the-art tools available neutralizes the barriers of time and space by creating instant communication. On the other hand, it transforms loosely coupled links into smooth, reduced-barrier pipelines which lead straight into the heart of a company. To disrupt this flow is to reduce efficiency. To increase the flow is to become a potential target.
Closing down a potential channel for illegal access
There may not be a way of “locking down” all access from vendors, but it is possible to reduce vulnerabilities that come with quality assurance systems through which vendors send the increasing volumes of digital documentation currently required.
How can a system that is designed to connect a company to its suppliers be protected from such a breach without losing the advantages of integration and visibility?
One way to protect the company from security breaches is to make sure that the interface takes place outside the company’s firewall. For example, EMNS’s supplier quality management system GSQA® is “Software as a Service” (SaaS).
The SaaS platform exists outside the client company’s firewall.
“Interoperating” outside the company’s firewall
Suppliers and vendors “interoperate” with the SaaS platform for all initial and ongoing material or services approval processes.
The platform also handles regulatory document submittals, certifications required by the company, material quality certificates, and the interactions required to resolve non-conformances.
All GSQA® data exchanges are performed by batch transfers to an enterprise’s internal systems in specified formats that are matched to the function of the data.
Quality assurance based on this system can in no way facilitate the kinds of data breaches that Target suffered.
Suppliers never enter your system
At GSQA®, we assume that everyone is a supplier to someone in the value chain. The boundary between “inside” and “outside” the company is more porous than we may assume. GSQA® allows companies to track material quality and performance both outside as well as inside production facilities. In this concept, each phase of an extended manufacturing process is treated as a supplier to the next phase.
However, all this activity is performed in a way that sequesters your requested data, whether it is coming from outside vendors, co-manufacturers, distributors or from origins that are invisible in a multi-tier supply chain. Even your own your own feeder plants and in-house production facilities can interoperate via the asynchronous GSQA®-managed file transfer technology.
This means that when supply chain members (both external and internal) use GSQA®, they are integrated at the level of materials performance tracking, process and supplier comparisons, and traceability.
The integration takes place inside the GSQA® system, not within your internal systems. Suppliers never “enter” your system.
Vendors submit their information to GSQA®, where it is sequestered in a data center that meets the nuclear industry standard. You access your data in the same way, through your plant’s GSQA® browser interface. No supplier has direct access to your company’s servers.
GSQA® has no direct access to your company’s servers.
However, both you and your suppliers have access to GSQA® and its powerful capabilities in a neutral environment. With GSQA® you, in fact, acquire an “Outsourced IT Department” without exposing any of your internal systems to the multi-tier, multi-member supply chain that contributes to your products.
Companies are caught between two imperatives: maximum integration and efficiency on the one hand, and security on the other. GSQA’s Software as a Service solution to global supply quality assurance can fulfill both requirements. Using the system, the vulnerabilities described in the Vendor Vulnerability Index are greatly reduced.