Businesses increasingly rely on third-party apps to leverage powerful communication, collaboration, and technology-driven tools. The best known is Slack, a popular instant messaging platform. Asana is another popular third-party app focused on work project management; its goal is to streamline internal workflows.
While there can be great benefits to third-party software, it also places companies at greater risk of cyberattacks. Here’s what you need to know:
What are Third-Party Apps?
Third-party work apps, or software-as-a-service (SaaS), offer a wide range of functionality for workers. There are many in addition to Slack and Asana, offering a wide range of features like remote video conference tools, accounting and finance tools, HR & legal services, and more.
If you can imagine a desired functionality, there’s probably a third-party app that provides it.
With the adoption of cloud-based technology, many businesses and organizations increasingly store their data on servers owned and operated by the app companies instead of internal servers where they would have more oversight. While this greatly enhances productivity (having data accessible from multiple devices rather than tied to a specific location means better collaboration), an organization’s data is only as secure as their app providers.
The Risks of Third-Party Apps:
Every third-party app will request specific permissions when connecting to a SaaS environment. These permissions are tagged as low, medium, and high risk, based on the type of permissions the application needs to do its job.
The permissions can be extensive, and even excessive. For instance, many apps request access to mailboxes, and can send emails on behalf of a user (e.g., deliver automated follow ups to a business’s target clients). Other apps can create, delete, transfer, and store sensitive data–including corporate secrets.
While it may seem safe for a business to merge and house their data in third-party apps, risky permission capabilities may create unnoticed vulnerabilities and expand your attackable surface. If an employee’s account on a third-party app is taken over by a threat actor, an enterprise’s data can be stolen, sold, encrypted, or published.
In 2013, Target suffered a successful cyber attack that can help illustrate the issue with third-party apps. Employee credentials were stolen from the retailer’s third-party software vendor, which allowed the threat actor to gain access to sensitive personal customer data, including names, phone numbers, email addresses, credit card numbers and credit card verification codes. In this case, it wasn’t Target’s security measures that were compromised, but they were as vulnerable as their vendor, and were compromised as a result. A third-party app that suffers a compromise could mean all its users also experience a compromise, which makes these apps an attractive target for hackers, and another reason businesses might consider before adopting them in the workplace.
How Should Companies Greater Protect Their Data?
Third-party apps can be a blind spot when it comes to a business’s attackable surface. Many companies assume third-party apps are secure, failing to test for vulnerabilities that may exist within the software, or they simply lack the adequate processes or tools to make sure best practices are in place and being implemented.
To protect against cyber threats, surveilling third-party applications linked to SaaS environments must remain at the forefront of an organization’s security measures. Creating a review and approval program regarding their permission capabilities and access is a start, but if you’re unsure of where to start becoming more cyber secure it may be time to hire a consultant.