Blog


← Back to BLOG

20
Sep
2022
Avoiding the Vulnerable App Trap with Third-Party Application Auditing

Avoiding the Vulnerable App Trap with Third-Party Application Auditing

Apps are an integral part of our everyday lives. We use apps to check weather forecast, order takeout or delivery from local restaurants, and follow our favorite sports teams. While many apps we use are first-party applications, others come from third parties like DocuSign, LumApps, and Mailmeteor, among others¹. They serve a variety of functions, from quick eSignature integration to sending thousands of personalized emails simultaneously¹. However, installing and using third-party apps brings its fair share of risks. 

Consider General Electric’s 2020 data breach, for example. ISACA outlines that with security measures lacking for both GE and Canon Business Process Services, its third-party partner, the breach exposed 200,000 current and former employees’ personal and health benefits records². This is not a favorable outcome for any business, let alone a global powerhouse. 

Of course, the dangers of using third-party apps are not just limited to multinational corporations like GE. They can be hazardous to your business as well, particularly regarding the level of access your employees have to corporate data³. For example, suppose you work for a company with a bring-your-own-device (BYOD) policy³. You extensively use your iPhone to access your Gmail account and Google Drive documents, but then you decide to install a third-party app requesting permission to access your Google account during the installation process³. Now, place yourself in the employer’s shoes and ask, “How do I protect my business from falling into the trap of vulnerable third-party apps?” 

Enter third-party application auditing. This process allows network administrators to act on multiple third-party applications that users or other admins have installed within their domains, either by revoking or approving access⁴. In this article, we will learn more about third-party app auditing and its benefits for your business.  

A third-party apps audit allows administrators to approve or revoke access to certain apps by organizing them into three distinct categories: (1) Block List, (2) Allow List, or (3) Unresolved⁴. The Block List revokes access to applications for all users who install a particular app, even if they uninstall and subsequently reinstall it⁴. However, the Allow List serves the opposite purpose⁴. It enables users on the domain to use and install the application⁴. Meanwhile, if you list apps as Unresolved, you have not yet reviewed them for placement either on the Allow or Block list⁴. 

Remember that before auditing, there are several vital steps you must take. First, take note of any installed third-party applications on your domain, then narrow the search to the ones that have requested and/or been granted access to your Gmail or Google Drive account⁵. Those accounts store your sensitive information and important data, so it’s crucial to be sure you can trust any applications that have been granted access. One way to determine if an application has malicious intentions is to consider if the permission request is fitting for the app’s purpose; as an example, games that ask for access to Google Drive may not be trustworthy⁵. You should also evaluate new applications daily and decide whether to whitelist or blacklist each app⁵. 

Now that you know how third-party app auditing works, we will now explain some of its advantages for your business. One benefit of third-party app auditing is that it gives you a better idea of the apps your employees install and utilize every day³. By running a daily automated scan of all apps your users install, third-party auditing produces reports you can use as a valuable tool³. Each report lists all the apps with an at-a-glance, color-coded view of their risk level: low, medium, or high³. In short, third-party auditing helps you keep track of your applications and ensure that employees are not installing potentially malicious apps on your computer’s computer systems³. 

While third-party app auditing helps you block risky apps quickly and easily, it also has specific benefits for Google G Suite administrators. If you are a G Suite admin, third-party app audits enable you to monitor all applications with access to your corporate data³. Thus, you can discover immediately if any of your employees have violated company policies, such as the data access policy³. For instance, you can find whether any of your employees have downloaded sensitive data to their private accounts³. This shows that regular third-party app auditing is essential for effective application management. 

Navitend can help you. Call 973.448.0070 or setup an appointment today. 

Sources: 

¹Chrome Unboxed. “Google lists their recommended third-party apps for Google Workspace” by Johanna Romero. Retrieved from https://chromeunboxed.com/2022-recommended-workspace-third-party-apps.  

²ISACA. “How to Identify Vulnerable Third-Party Software” by Victor Gamra. Retrieved from https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/how-to-identify-vulnerable-third-party-software

³Spin Technology, Inc. “Third-Party Applications Audit: Complete Guide.” Retrieved from https://spinbackup.com/blog/third-party-applications-audit/

⁴BetterCloud. “Third Party Apps Audit” by Chris Fadell. Retrieved from https://support.bettercloud.com/s/article/Third-Party-Apps-Audit-bc60076.  

⁵BetterCloud. “Third-Party Apps Auditing & Compliance Out of Beta, Suggested Policies.” Retrieved from https://www.bettercloud.com/monitor/third-party-apps-auditing-compliance-beta-suggested-policies

Contact us at 973.448.0070

Testimonials

  • navitend’s approach to customer service is greatly appreciated here.  Ensuring that we are well protected from a technology standpoint provides us with peace of mind to continue our day to day operations and that they are looking out for our company's best interest. 

    Debbie
  • “Navitend’s expertise helped our firm over the past year to effectively elevate our I.T. game, powering our website into a highly interactive tool. Well done to Frank and his team!”  

    Chuck Steege, CFP®, CEP, President, SFG Wealth Planning Services, Inc.
  • "navitend has been a great IT partner for our company.  Their helpdesk response time is the best I have experienced in my 30 year career.  navitend has helped me to have great IT services without the need to have a full time, in house, technician at significant savings to our company."

    Bob Bradley, President, Bradley Graphics
  • "Thanks so much again for taking care of everything in such an expedient manner. It's a pleasure to work with navitend and its staff as always!"

    Lawrence Wolfin / Textol Systems, Inc.
  • "We've dedicated our lives to growing our retail and ecommerce business and it's a relief to have found a company like navitend who treats our business likes it's their own. navitend's personal approach to project management and problem solving are top-notch."

    Stamatis, Co-owner Twisted Lily, Fragrance Boutique and Apothecary
  • "Our company is more efficient and has grown as a result of navitend’s work. navitend helped us get to the next level."

    Greg Niccolai / Madison Insurance
  • "Thanks so much!  You are a class act!  
    You and your team have really done an excellent job on this!"

    Steve Van Ooteghem, The C12 Group in Houston, Texas
  • "I appreciate that they didn’t just build the application. They made it better by bringing ideas to the table that not only made for a better user experience, but also kept the development costs down."

    Andy Lynch / North Star Marketing
  • "I look forward to working with you again in the future. Once again, thanks to your organization for your prompt response."

    Luke Wolters / Luke Wolters Tax Consultants