Third-Party Risk Management at Macmillan Cancer Support

October 12, 2021

Security expert Tim O’Neill worried about the access that third parties had to Macmillan Center Support’s sensitive systems and data. “Third parties often come in to fix issues, so they may need access all over the network,” he recognized “but you have to be careful because bad actors often use third-party access to mount attacks.” 

Once third-party users were in the Macmillan IT environment, they had too much freedom to move around. Lack of Privileged Access Management (PAM) and multi-factor authentication (MFA) for third parties ran counter to security best practices and compliance standards such as PCI and ISO 27001. Plus, setting up and managing third-party accounts was a time-consuming process. They required VPN access, which slowed down productivity and increased costs. 

Rise of third-party cyber attacks increases risk 

Macmillan’s situation is a common one, especially as reliance on third parties working remotely has spiked during the pandemic. As third-party privileged access increases so does risk. Over half of businesses have suffered a data breach caused by a third party, according to a report by Ponemon Institute. Last year, three-quarters of data breaches were the result of giving too much privileged access to third parties. 

Several high-profile breaches over the past year have raised awareness of third-party risk. 

  • Cyber criminals exploited vulnerabilities in Accellion’s File Transfer Appliance, exposing private data such as Social Security numbers and banking information. Victims throughout Accellion’s supply chain are piling up. 
  • Enterprise password manager Passwordstate was breached when attackers exploited the app’s update mechanism to deliver malware to customers 
  • Elekta, the third-party cloud-based storage provider of Cancer Centers of Southwest Oklahoma, was breachedimpacting more than 68,000 patients. A class action lawsuit claims that the breach prevented or delayed treatment for many cancer patients across the United States.

PAM strategies to reduce third-party risk 

O’Neill was charged with reducing the risk of cyber attack. He knew the situation had to change. Last year, the organization adopted ThycoticCentrify’s privileged access management solution, including vaulting, password rotation, and session management for third parties. 

Now, third parties are granted access to Macmillan’s IT systems via the PAM platform, for centralized control and oversight. Users don’t even see their access credentials, eliminating the risk of sharing or reusing passwords. Multi-factor authentication provides an additional layer of protection by confirming users are who they say they are. 

Access to Macmillan’s environment is tightly controlled. Third parties have access only to specific machines assigned to them, so they can’t move laterally within the system. To eliminate standing access, Macmillan now sets a limited amount of time for third parties to retain their privileges. Third-party activities are monitored and recorded, providing an audit trail in the case of any cyber incident. 

The process of setting up third-party access is also more efficient. Costs are down, without the expense of VPN licenses, and third parties are up and running in minutes. 

The transition to PAM has been a significant step in the cyber security strategy for Macmillan, according to O’Neill. 

“Today, we’re far more effective at protecting the organization. We’re better protecting our patients at possibly the most difficult point in their lives. We’re protecting our employees against executing tasks that might have unintended consequences.” 

Learn more about this case study here. Plus, learn about the latest updates to ThycoticCentrify's privileged access management solution here

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.