Businesses increasingly rely on third-party apps to leverage powerful communication, collaboration, and technology-driven tools. The best known is Slack, a popular instant messaging platform. Asana is another popular third-party app focused on work project management; its goal is to streamline internal workflows.
While there can be great benefits to third-party software, it also places companies at greater risk of cyberattacks. Here’s what you need to know:
What are Third-Party Apps?
Third-party work apps, or software-as-a-service (SaaS), offer a wide range of functionality for workers. Slack and Asana are well-known, but many others enjoy adoption for capabilities like remote video conference tools, accounting and finance tools, HR & legal services, and more.
If you can imagine a desired functionality, there’s probably a third-party app that provides it.
With the adoption of cloud-based technology, many businesses and organizations store much of their data on servers owned and operated by app companies, instead of internal servers where they would have more oversight. While this greatly enhances productivity (having data accessible from multiple devices rather than tied to a specific location means better collaboration), it also means that an organization’s data is only as secure as its app providers care to make it.
The Risks of Third-Party Apps:
Every third-party app will request specific permissions when connecting to a SaaS environment. These permissions are tagged as low, medium, and high risk, based on the type of permissions the application requests to do its job.
These permissions can be extensive and, in some cases, excessive. For instance, many apps are granted full access to mailboxes, and can send emails on behalf of a user (e.g., deliver automated follow-ups to a business’s target clients). Other apps can create, delete, transfer, and store sensitive data–including corporate secrets.
Thus, while it may feel safe for a business to merge and house its data in third-party apps, risky permission capabilities may create unnoticed vulnerabilities and expand your attackable surface. If an employee’s account on a third-party app is taken over by a threat actor, an enterprise’s data can be stolen, sold, encrypted, or published.
For example, in 2013, Target suffered a successful cyber attack. Employee credentials were stolen from the retailer’s third-party software vendor, which allowed the threat actor to gain access to sensitive personal customer data, including names, phone numbers, email addresses, credit card numbers and credit card verification codes. In this case, it wasn’t Target’s security measures that were compromised, but they were as vulnerable as their vendor, and were compromised as a result.
How Should Companies Greater Protect Their Data?
Third-party apps can be a blind spot when it comes to a business’s attackable surface. Many companies assume third-party apps are secure, failing to test for vulnerabilities that may exist within the software, or they simply lack the adequate processes or tools to make sure best practices are in place and being implemented.
To protect against cyber threats, surveilling third-party applications linked to SaaS environments must remain at the forefront of an organization’s security measures. Creating a review and approval program regarding their permission capabilities and access is a start, but if you’re unsure of where to start becoming more cyber it may be time to hire a consultant.