Many reports on security breaches treat malicious insiders and third-party threats like two separate risks. Nowadays, however, it can be difficult to determine who is actually an inside member of your organization and who is an outsider. The distinction between inside and outside is disappearing under the influence of new business models and connecting technologies.

Expanding the Definition of Employees

In some cases, it helps to treat all suppliers, outsourcing partners, consultants, service staff and business partners as third-party insiders. This group may have many privileges similar to in-house employees, such as:

  • Physical access to the premises;
  • Use of your on-site and remote facilities;
  • Connection to the network;
  • Customer contact on your behalf;
  • Access to customer data.

Third-party insiders often act as fully integrated members of your business, even when working from distant locations. Some of these individuals have advanced knowledge of your internal processes and controls, making them just as knowledgeable of the security procedures as an internal employee — all without the same level of management supervision.

The best-practice recommendations for third-party security management include maintaining an overview of who the relevant parties are, performing risk assessments and monitoring the contract and operating procedures. It is important to always evaluate policies to ensure compliance with both the contract and industry standards, which can be accomplished through regular audits and reviews. But this is only the first layer of protection.

To further guard against threats coming from third-party insiders, apply controls you would use for in-house employees, such as authorization policies, separation of duties and user management solutions. Add to that specifically tailored products that monitor behavior and provide anomaly detection to manage internal threats, and you are one step closer to effectively tracking compliance by third-party insiders.

Building Trust With Third-Party Insiders

Compliance is not the same as trust. Trust requires having an interpersonal relationship with third parties just as you would have with your own staff. This includes:

  • Involving third-party insiders as a target group for your security awareness campaigns;
  • Training — and continuing to train — third parties in your security policy;
  • Performing background checks;
  • Establishing bring-your-own-device (BYOD) procedures.

This may seem too large a task to complete. However, you are more likely than not halfway there when you consider that your third-party suppliers have the same security questions, problems and solutions. It is therefore essential to involve them when developing and implementing a successful third-party security policy. Use what they have already applied to enhance your own policy, learn from each other, inform each other and together build a stronger relationship based on trust and security.

Finally, you may have outsourced specific services to third parties, but you cannot outsource your responsibility to manage people. Forming personal relationships and knowing your internal and third-party team members are key to the prevention of data breaches. The better insight you have into their work ethic, social skills, personal problems and social behaviors, the better chance you have to prevent a malicious act and identify threats before they are realized.

Read the X-Force research report: Battling Security Threats From Within Your Organization

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…