Insider threats get a lot of press, and deservedly so. Different studies have shown just how dangerous the insider threat is. Almost every organization is vulnerable to employee error or maliciousness.
However, employees aren’t your only “insider” problem. Third-party vendors can wreak havoc on any company’s security – just ask Target about that – and IT leaders are concerned about the security risks that third parties pose, according to a new Enterprise Strategy Group survey commissioned by Seclore.
In the executive summary, ESG discussed the reasons why IT departments have these concerns. Two that jumped out at me included:
External collaboration is commonplace. The need to collaborate with third parties including partners, contractors, customers, and more is making sharing files with such audiences commonplace with 34 percent of participants indicating that 26 percent to 50 percent of their employees regularly share files with individuals external to their organizations.
The loss of sensitive data is a top of mind concern, and is assumed to be happening. Not only did 98 percent of respondents cite the loss of sensitive data as a top or significant concern, but many also indicated it was very or somewhat likely that their organization has already lost data via a variety of ways in the last 12 months.
The result is that 56 percent of respondents said it’s very or somewhat likely that files had been stolen by partners, contractors or customers (with 28 percent saying it’s very likely), as well as 58 percent saying the same about files being stolen by employees and malicious software (60 percent).
It’s not surprising that third-party vendor security is so challenging. As Kacy Zurkus wrote for CSO, third parties have wide ranges of security infrastructures and policies. These infrastructures may or may not match with an organization’s security protocols:
As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreement in order to best evaluate their contracts.
So how can organizations approach third-party security concerns? Developing a digital rights management solution is a start. The ESG survey suggested a four W approach: who, what (viewing, printing, screen shares, etc.), where (both location and devices) and when:
These research results show that requisite usage controls transcend basic policies of governing who can access which files to encompass granular controls over what actions can be taken, and from which devices. Location- and duration-based policies are also required in order to control from where and for how long (i.e., when) a recipient is authorized to view information.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba