In today’s business environment, it’s not uncommon for organisations to outsource some or all of their IT capabilities to third-party contractors. It’s true that there are many benefits to this, outsourcing can save money that organisations would usually spend on full-time employees, so it’s no wonder this practice is so widespread.
However, they are often overlooked as a potential threat, despite being granted access to a large proportion of their employer’s critical systems and sensitive data. By hiring temporary employees, you are implicitly trusting an outside party with sensitive information, that would be off-limits to most permanent employees.
In the wake of recent high-profile third-party data breaches, such as the Sweden Transport Agency breach and the Time Warner Cable breach, third-parties are beginning to put in place user-monitoring technology in order to monitor their own activities. With the increase in third-party employees, organisations are also implementing these tools to monitor activity in their networks. These tools facilitate increased visibility and transparency in order to determine in real-time who is accessing which files- giving the employer the ability to monitor exactly what is happening within their network.
Know the risks.
Organisations in every vertical are faced with the ‘insider threat’ problem. By granting access and responsibility to external IT contractors, businesses are arguably opening themselves up to greater risk, as this can compromise the protection controls as well as increasing the number of third parties with the same privileges and access rights as employees.
Shared administrative accounts and passwords can also pose great risks. It’s often the case that third-party IT employees share a generic freelancer account. This results in organisations being unable to tell who is responsible for what within their system.
Furthermore, privileged accounts used by third-party contractors can often prove to be a far more lucrative target for cybercriminals, as opposed to full-time employees. This trend is showing no signs of slowing, as some of the most serious breaches in recent years have been through third-party vendors. In early September of this year, it emerged that hackers had compromised thousands of files containing the personal information and expertise of Americans with Classified and up to Top Secret security clearances. The records were exposed by an unsecured Amazon server allegedly by a third-party job application processing company.
Another vulnerability is employees themselves. Whilst most employees are completely trustworthy, only one needs to decide to go rogue to compromise an entire organisation. All organisations are holding data which has monetary value, be it a new product design or customer credentials, this kind of data can bring profits on the dark web. A recent example of this is the breach at UK gaming shop, CEX, which saw hackers stealing customer data and then selling it on the dark web.
The insider threat isn’t always malicious. Sometimes, it is simply the case that staff are not well-trained enough to understand the risks that arise in their day to day role. An inexperienced or distracted system administrator might make a configuration mistake which can result in service outages or lost data, leading to the loss of revenue and increased costs.
Combatting security threats
With threats coming from both malicious and unintentional sources, it may seem impossible for an organisation to protect their sensitive data from compromise. In order to alleviate these risks, businesses must develop safeguards as well as integrate activity monitoring solutions in order to keep track of the activities carried out by third-party contractors. When an insider threat is already within the perimeter, it is no longer enough to have firewalls and standard application in place when protecting an organisation.
Adopting a holistic approach to IT security can reduce the risk of data compromise. One way in which organisations are doing this is by implementing security monitoring tools which enable the examination of users’ behavioural patterns. A user’s technological footprint can be created by analysing how they interact with IT systems. So, when a user logs into their applications, carries out their daily tasks and accesses similar data, a profile can be created for them. These profiles are ‘learned’ and can then be compared against the real-time activities of a user in order to detect irregularities and anomalies. Once these have been detected, action can be taken to remediate malicious activity or to investigate a specific event in more detail.
Malicious insider behaviour is easy to spot when compared with normal employee behaviour. For example, if a resigned contractor plans to steal company data, real-time monitoring tools can help the organisation to quickly detect the abnormal activity. The technology will then automatically alert the security team so that they can begin incident investigation. This allows IT to focus their security resources and prioritise the most pressing events as well as replacing controls to facilitate business efficiency.
It doesn’t just stop at identifying malicious activity in a system, an organisation must be prepared to react to malicious activity, in order to reduce the time that an attacker has before remediation measures are put in place. Ahead of a major attack taking place, there is normally a period of scouting out the target and the strength of its security operations. The rapidity of detection and response to this stage in an attack is critical in order to prevent a full-scale attack occurring.
As the use of third-party contractors is showing no signs of slowing down, the threats posed by malicious insiders will also continue to grow. With the right security software in place to effectively monitor third-party activity, it doesn’t have to be this way. With these tools, it is possible to mitigate the risks of allowing access to sensitive data to outside parties as well as complying with regulations which require the accurate monitoring of data access.
By Csaba Krasznay, Security Evangelist, Balabit.