July 16, 2015 By Nicole van Deursen 2 min read

Many reports on security breaches treat malicious insiders and third-party threats like two separate risks. Nowadays, however, it can be difficult to determine who is actually an inside member of your organization and who is an outsider. The distinction between inside and outside is disappearing under the influence of new business models and connecting technologies.

Expanding the Definition of Employees

In some cases, it helps to treat all suppliers, outsourcing partners, consultants, service staff and business partners as third-party insiders. This group may have many privileges similar to in-house employees, such as:

  • Physical access to the premises;
  • Use of your on-site and remote facilities;
  • Connection to the network;
  • Customer contact on your behalf;
  • Access to customer data.

Third-party insiders often act as fully integrated members of your business, even when working from distant locations. Some of these individuals have advanced knowledge of your internal processes and controls, making them just as knowledgeable of the security procedures as an internal employee — all without the same level of management supervision.

The best-practice recommendations for third-party security management include maintaining an overview of who the relevant parties are, performing risk assessments and monitoring the contract and operating procedures. It is important to always evaluate policies to ensure compliance with both the contract and industry standards, which can be accomplished through regular audits and reviews. But this is only the first layer of protection.

To further guard against threats coming from third-party insiders, apply controls you would use for in-house employees, such as authorization policies, separation of duties and user management solutions. Add to that specifically tailored products that monitor behavior and provide anomaly detection to manage internal threats, and you are one step closer to effectively tracking compliance by third-party insiders.

Building Trust With Third-Party Insiders

Compliance is not the same as trust. Trust requires having an interpersonal relationship with third parties just as you would have with your own staff. This includes:

  • Involving third-party insiders as a target group for your security awareness campaigns;
  • Training — and continuing to train — third parties in your security policy;
  • Performing background checks;
  • Establishing bring-your-own-device (BYOD) procedures.

This may seem too large a task to complete. However, you are more likely than not halfway there when you consider that your third-party suppliers have the same security questions, problems and solutions. It is therefore essential to involve them when developing and implementing a successful third-party security policy. Use what they have already applied to enhance your own policy, learn from each other, inform each other and together build a stronger relationship based on trust and security.

Finally, you may have outsourced specific services to third parties, but you cannot outsource your responsibility to manage people. Forming personal relationships and knowing your internal and third-party team members are key to the prevention of data breaches. The better insight you have into their work ethic, social skills, personal problems and social behaviors, the better chance you have to prevent a malicious act and identify threats before they are realized.

Read the X-Force research report: Battling Security Threats From Within Your Organization

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today