An interesting article in Fortune this morning covered a round table of security and technology experts who discussed the biggest threats to businesses. Stephen Gillett, Symantec’s chief operating officer, said there were three types of threats: script kiddies, organized crime and state-sponsored. In my opinion, he forgot a few, like hacktivism, which I think he includes with script kiddies, though hacktivism needs to stand on its own as one of the most serious threats to business operations.
The panel also raised what I think is a very important question: Do you know your company’s weakest security link? Yes, they talked about insider threats and how they are underestimated in relation to outsider threats:
It’s more likely that an employee doesn’t realize the value of the data access they have, even if they’re a low-profile employee.
Whether an innocent mistake or a purposefully malicious act, employees can cause a lot of security-related damage to a company. And insider threats have gotten more attention in the recent past, thanks in part to Edward Snowden, even if businesses still aren’t taking the threats seriously enough.
That still isn’t the weakest link in the security chain, though. The security problem we tend to either forget about or ignore is the third-party contractor. A service provider was the cause of the recent AT&T breach. An HVAC contractor is thought to be the reason behind Target’s breach. Said Norman Menz, CTO and co-founder, Prevalent, in a release:
Third-party data breaches, threats and vulnerabilities are rising and putting tremendous pressure and responsibility on CIOs and IT professionals tasked with securing organizational information. As such, third-party risk management is a must-have technology for data-driven businesses – not only for compliance and regulatory purposes but to provide true visibility into the risk posture of an organization's partners and to create a shared understanding of gaps that should be resolved to effectively reduce risk.
A SearchSecurity article recommends companies create Business Associate Agreements when dealing with third-party contractors and consultants to defend against potential risks. The article adds that that may not be enough. After all, people do lie in contracts in order to get the job and may have theft in mind from the get-go. Strengthening that weak security link will require investigative work and old-fashioned recommendations from colleagues you trust. Of course, this isn’t foolproof. Mistakes happen that leave the contractor and, in turn, your company at risk. That’s where having all the legal paperwork that outlines the contractor’s responsibility in the event of a security breach becomes necessary.
I’ll end this with a challenge: How much do you know about your company’s weakest security link and what are you doing to protect your network and your data?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba