Many reports on security breaches treat malicious insiders and third-party threats like two separate risks. Nowadays, however, it can be difficult to determine who is actually an inside member of your organization and who is an outsider. The distinction between inside and outside is disappearing under the influence of new business models and connecting technologies.
Expanding the Definition of Employees
In some cases, it helps to treat all suppliers, outsourcing partners, consultants, service staff and business partners as third-party insiders. This group may have many privileges similar to in-house employees, such as:
- Physical access to the premises;
- Use of your on-site and remote facilities;
- Connection to the network;
- Customer contact on your behalf;
- Access to customer data.
Third-party insiders often act as fully integrated members of your business, even when working from distant locations. Some of these individuals have advanced knowledge of your internal processes and controls, making them just as knowledgeable of the security procedures as an internal employee — all without the same level of management supervision.
The best-practice recommendations for third-party security management include maintaining an overview of who the relevant parties are, performing risk assessments and monitoring the contract and operating procedures. It is important to always evaluate policies to ensure compliance with both the contract and industry standards, which can be accomplished through regular audits and reviews. But this is only the first layer of protection.
To further guard against threats coming from third-party insiders, apply controls you would use for in-house employees, such as authorization policies, separation of duties and user management solutions. Add to that specifically tailored products that monitor behavior and provide anomaly detection to manage internal threats, and you are one step closer to effectively tracking compliance by third-party insiders.
Building Trust With Third-Party Insiders
Compliance is not the same as trust. Trust requires having an interpersonal relationship with third parties just as you would have with your own staff. This includes:
- Involving third-party insiders as a target group for your security awareness campaigns;
- Training — and continuing to train — third parties in your security policy;
- Performing background checks;
- Establishing bring-your-own-device (BYOD) procedures.
This may seem too large a task to complete. However, you are more likely than not halfway there when you consider that your third-party suppliers have the same security questions, problems and solutions. It is therefore essential to involve them when developing and implementing a successful third-party security policy. Use what they have already applied to enhance your own policy, learn from each other, inform each other and together build a stronger relationship based on trust and security.
Finally, you may have outsourced specific services to third parties, but you cannot outsource your responsibility to manage people. Forming personal relationships and knowing your internal and third-party team members are key to the prevention of data breaches. The better insight you have into their work ethic, social skills, personal problems and social behaviors, the better chance you have to prevent a malicious act and identify threats before they are realized.
Read the X-Force research report: Battling Security Threats From Within Your Organization
Information Security Researcher