Third-Party Vendor Access: The Most Overlooked Aspect of Network Security

05 Feb 2019

Retail stores are in the throes of an exciting renaissance. Thanks to a sharp uptick in IT investment in stores, shoppers can enjoy a more compelling, data-fueled experience. Associates get the satisfaction of offering real value to the customer and retailers can shift labor to sales as automation takes care of checkout and replenishment.

The only area that feel chills rather than thrills about this next-gen store is IT security. All those network-connected devices add considerable risk of data exposure as well as all the new vendors that come along with them: integrators, help desks, cloud providers, service teams, and so on.

That’s why it has never been more essential that retailers stay on top of network access protocols, and thoroughly understand every party’s own approach to ensure both physical and virtual security.

Network Access Everywhere

The range of new network-connected devices is broad: associate mobile devices, beacons and other IoT devices, kiosks, WiFi printers, AR/VR equipment, IP cameras, consumer smartphones, digital displays, and more. To do their magic in collecting and delivering data, all must access the corporate or store domain. Many retailers have wisely deployed strong processes, firewalls, unified threat management (UTM) appliances and other measures to keep outsiders from entering networks via these new devices.

However, third-party service providers are not nameless attackers. To do their work, these providers are granted credentials to access networks, beyond the reach of perimeter security. Even if data is locked down and virtually secured, many still have physical access as part of their work, and can easily slip a micro SD card into a device to load or collect data.

Imagine this scenario: A subcontractor to a major systems integrator hires Joe Nobody to help install new ordering kiosks at a major fast food chain. The integrator’s subcontractor doesn’t perform background checks on their techs, and the tech takes the opportunity to load in code to open ports or capture keystrokes. Now that tech can remotely access the network later, or record customers’ card data, leading to embarrassing and costly breaches and unwanted headlines.

Taking a Deeper Look

Retailers are wary of increased risks and the damage of breaches like this. In addition to investing in more network security, many are including detailed security questions in their RFPs and dispatching IT security professionals to check out new vendors. But too often they are inadvertently leaving gaps in their approach to vetting third-party providers.

To lower the risk posed by new providers accessing retail networks, retailers should:

1) Examine shared security policies between the retailer and vendor. Both the Retailer and provider must agree on security protocols and processes for network access. Often retailers ask potential partners to complete detailed questionnaires, then identify gaps and break those down into must-haves and punch list items to address later.

Technology is evolving faster than many questionnaires are updated, and more and more solutions designed to bring data to the customer require access to multiple back-end and third-party systems. It’s critical to consistently revisit the questionnaire to keep up with evolving technology and threat vectors. Check out CISSP and COBIT for ideas on what robust security policies should include.

2) Share data and security audit results. Retailers must often undertake security audits to satisfy insurance and PCI requirements. However, vendors accessing the network introduce vulnerability. Retailers should ask to see the results of vendors’ own security audits, both physical and virtual. Physical security is one of the most-overlooked aspects of a vendor’s IT security stance. If a vendor is performing centralized staging of a retailer’s equipment in their facility, or even storing it there for rollout, they should prove that access to those buildings is controlled.

To maintain several of our certifications, Level 10 must undergo monthly internal and external penetration testing and wireless access and physical security audits ― and we share results with customers, providing assurance that our security is current and working.

3) Perform due diligence at the outset and repeat annually. Too often the start of the relationship is the only time retailers take a deep look at their vendors’ security. But it’s a moving target, so true due diligence requires not just updating the questionnaire, but regularly re-administering it to current vendors. Be sure to go beyond just immediate partners: are your vendors’ subcontractors, or their subcontractors, background checked and in compliance with security protocols?

Today’s store IT environments are on par with corporations in their complexity and the risks they pose for unwanted access to sensitive data deep within the organization. Level 10 is committed to beyond-the-standard levels of security to protect our customers and our business. We believe a thorough and careful approach to protecting your network is mission-critical for today’s powerful but vulnerable retail IT architecture.