Cyber Attack – Are you as protected as you think you are? (Part Six – Vendor Access to Your Network)

October 10th, 2023
Cyber Attack – Are you as protected as you think you are? (Part Six – Vendor Access to Your Network)

Today it seems everything is connected to the internet in some way. At home, you have doorbells, garage doors, TVs, and a myriad of other things. School networks also have a long list of vendors and vendor devices sharing their network. HVAC, transportation apps, security systems, and camera/media systems just to name a few. The question is – While allowing vendors to remotely access their devices via the internet can your vendors ALSO access your internal programs and data? If so, not only is there a risk they could access data that should be confidential, but like an ill person walking into a meeting, their devices and personnel could infect your network with malware and ransomware. You may have made sure your devices are patched and have endpoint protection, but if vendors have access to the same network, that work may be in vain.

If you haven’t specifically taken steps to isolate your vendors’ access, you could be at risk for exposure. The good news is that there are ways to protect yourself.

  • Identify all vendors accessing your network and the type of remote access they have
  • Make sure remote access tools are logged so you can see who has remotely accessed your network and when
  • Require remote access tools to utilize Multi-Factor Authentication (MFA) to authorize access
  • Require the use of VPN for remote access where possible
  • Segregate vendor systems from internal District network resources
  • Avoid authorizing the use of unmonitored remote access tools like LogMeIn or TeamViewer

This week’s suggestion:

  • Talk to your Tech Director about what vendors have access to your network and what measures are currently in place to manage access
  • Talk to your Tech Director about the remote access tools used by vendors and employees
  • Continue (or start) the process of coming into line with the NIST Cybersecurity Framework guidelines

Next week’s bulletin will discuss “Important Information from the Jan 2023 Release of CISA K-12 Cybersecurity Toolkit”

If you would like more information on help with Vendor Access or navigating the NIST CSF journey, please contact Lisa MacDougall at lmacdougall@csiny.com or call 845.897.9480.