Many reports on security breaches treat malicious insiders and third-party threats like two separate risks. Nowadays, however, it can be difficult to determine who is actually an inside member of your organization and who is an outsider. The distinction between inside and outside is disappearing under the influence of new business models and connecting technologies.

Expanding the Definition of Employees

In some cases, it helps to treat all suppliers, outsourcing partners, consultants, service staff and business partners as third-party insiders. This group may have many privileges similar to in-house employees, such as:

  • Physical access to the premises;
  • Use of your on-site and remote facilities;
  • Connection to the network;
  • Customer contact on your behalf;
  • Access to customer data.

Third-party insiders often act as fully integrated members of your business, even when working from distant locations. Some of these individuals have advanced knowledge of your internal processes and controls, making them just as knowledgeable of the security procedures as an internal employee — all without the same level of management supervision.

The best-practice recommendations for third-party security management include maintaining an overview of who the relevant parties are, performing risk assessments and monitoring the contract and operating procedures. It is important to always evaluate policies to ensure compliance with both the contract and industry standards, which can be accomplished through regular audits and reviews. But this is only the first layer of protection.

To further guard against threats coming from third-party insiders, apply controls you would use for in-house employees, such as authorization policies, separation of duties and user management solutions. Add to that specifically tailored products that monitor behavior and provide anomaly detection to manage internal threats, and you are one step closer to effectively tracking compliance by third-party insiders.

Building Trust With Third-Party Insiders

Compliance is not the same as trust. Trust requires having an interpersonal relationship with third parties just as you would have with your own staff. This includes:

  • Involving third-party insiders as a target group for your security awareness campaigns;
  • Training — and continuing to train — third parties in your security policy;
  • Performing background checks;
  • Establishing bring-your-own-device (BYOD) procedures.

This may seem too large a task to complete. However, you are more likely than not halfway there when you consider that your third-party suppliers have the same security questions, problems and solutions. It is therefore essential to involve them when developing and implementing a successful third-party security policy. Use what they have already applied to enhance your own policy, learn from each other, inform each other and together build a stronger relationship based on trust and security.

Finally, you may have outsourced specific services to third parties, but you cannot outsource your responsibility to manage people. Forming personal relationships and knowing your internal and third-party team members are key to the prevention of data breaches. The better insight you have into their work ethic, social skills, personal problems and social behaviors, the better chance you have to prevent a malicious act and identify threats before they are realized.

Read the X-Force research report: Battling Security Threats From Within Your Organization

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today