Like many organizations, we work with third-party vendors to expand our business capabilities. However, third parties don’t necessarily provide the same security standards and protocols. This makes them a prime target for attackers, who may view them as the easiest entryway into the core organization.
As my colleague Jen Waugh wrote in her recent blog outlining how Okta fosters a security culture, the data Okta holds — both our own and that of our customers and partners — and the importance of our products make us a target for cyberattackers.
By proximity, that means the target is also on the backs of our extended workforce: contractors, consultants, vendors, service providers, acquired companies, and partners with physical or logical access to our systems.
Threat actors may see this group (for simplicity, I’ll refer to “contractors,” “third parties,” or “extended workforce” interchangeably) as a comparative weakness in our overall attack surface. Part of my job is making sure our adversaries are mistaken in this assumption by securing our extended workforce with the same safeguards that are in place for our own employees.
In fact, that’s the TL;DR of this post: I recommend that every organization enforce the same strict controls across their entire workforce, both in-house and extended. Of course, defining that objective is just the first step, so I’ll share a few ways in which we at Okta have worked to achieve it.
Before I dive into those details, though, let me first note that every organization should also implement a third-party risk program to drive a comprehensive due diligence process when selecting and monitoring third-party service providers. This topic could be an entire post in itself, but here I’ll simply mention that such a program should include:
- Evaluation of third-party information security controls
- Contractual assurance for third-party security responsibilities, controls, and reporting
Let’s take a closer look at how Okta secures our extended workforce.