Light Dark
July 16, 2015 By Nicole van Deursen 2 min read
Fraud Protection
Risk Management

Many reports on security breaches treat malicious insiders and third-party threats like two separate risks. Nowadays, however, it can be difficult to determine who is actually an inside member of your organization and who is an outsider. The distinction between inside and outside is disappearing under the influence of new business models and connecting technologies.

Expanding the Definition of Employees

In some cases, it helps to treat all suppliers, outsourcing partners, consultants, service staff and business partners as third-party insiders. This group may have many privileges similar to in-house employees, such as:

  • Physical access to the premises;
  • Use of your on-site and remote facilities;
  • Connection to the network;
  • Customer contact on your behalf;
  • Access to customer data.

Third-party insiders often act as fully integrated members of your business, even when working from distant locations. Some of these individuals have advanced knowledge of your internal processes and controls, making them just as knowledgeable of the security procedures as an internal employee — all without the same level of management supervision.

The best-practice recommendations for third-party security management include maintaining an overview of who the relevant parties are, performing risk assessments and monitoring the contract and operating procedures. It is important to always evaluate policies to ensure compliance with both the contract and industry standards, which can be accomplished through regular audits and reviews. But this is only the first layer of protection.

To further guard against threats coming from third-party insiders, apply controls you would use for in-house employees, such as authorization policies, separation of duties and user management solutions. Add to that specifically tailored products that monitor behavior and provide anomaly detection to manage internal threats, and you are one step closer to effectively tracking compliance by third-party insiders.

Building Trust With Third-Party Insiders

Compliance is not the same as trust. Trust requires having an interpersonal relationship with third parties just as you would have with your own staff. This includes:

  • Involving third-party insiders as a target group for your security awareness campaigns;
  • Training — and continuing to train — third parties in your security policy;
  • Performing background checks;
  • Establishing bring-your-own-device (BYOD) procedures.

This may seem too large a task to complete. However, you are more likely than not halfway there when you consider that your third-party suppliers have the same security questions, problems and solutions. It is therefore essential to involve them when developing and implementing a successful third-party security policy. Use what they have already applied to enhance your own policy, learn from each other, inform each other and together build a stronger relationship based on trust and security.

Finally, you may have outsourced specific services to third parties, but you cannot outsource your responsibility to manage people. Forming personal relationships and knowing your internal and third-party team members are key to the prevention of data breaches. The better insight you have into their work ethic, social skills, personal problems and social behaviors, the better chance you have to prevent a malicious act and identify threats before they are realized.

Read the X-Force research report: Battling Security Threats From Within Your Organization

 |  |  |  |  | 
Nicole van Deursen
Information Security Researcher

More from Fraud Protection
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature