When Edward Snowden leaked the details of the National Security Agency’s PRISM program to the media, it resulted in a large public outcry and lot of unwanted attention. This doesn’t mean that system administrators should treat all of their contractors as the next Snowden, but it highlights the importance of ensuring that contractors, as well as employees, are sufficiently monitored and aware of how they are allowed to use company data.
How Big Is the Threat?
The NSA incident may be prolific, but similar situations are not uncommon. The insider threat to data security has been well documented, and it is important to remember that not all risks come from malicious agents.
In fact, a data breach survey by the Ponemon Institute found that sometimes the problem stems from a lack of awareness in regard to IT security policies. For instance, 62 percent of employees believe it is acceptable to transfer organizational data outside of the protection of IT and never delete those files.
“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman of the Ponemon Institute. “Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22 percent since the first survey.”
If employees lack awareness of an organization’s data security mandates, then it is likely third-party contractors have even less awareness. This was one of the lessons in the California Attorney General’s 2012 Data Breach Report, which revealed that insiders, including contractors, caused 10 percent of all reported incidents last year.
As a result of this threat, researchers advised organizations to tighten security controls and ramp up awareness training for both employees and contractors.
In addition, researchers found that many breaches were the result of stolen account credentials. This means it is important to include controls such as multi-factor authentication to ensure those with remote access are actually who they’re claiming to be.
It may also be helpful to review existing practices, such as those used in password creation. If the organization has an established convention for creating contractor accounts, anyone with knowledge of this convention could gain access to these profiles.
Challenges to Keeping Contractors in Check
At first glance, it makes sense to govern contractors with the same IT security policies as employees, but this doesn’t often happen.
One reason contractors are overlooked is that many contract organizations have their own security training and policies. However, it is impossible to design a generic security awareness program to fit the needs of every organization. Furthermore, it fails to address the risk of a purposeful data leak.
The second problem is the perception that it is not an IT manager’s place to control contractor behavior. While internal teams may not be able to directly influence the outcome of a third-party entity’s employment status, they can still maintain visibility over that person’s system activity and level of access.
In addition, liability for breached data ultimately falls on the organization rather than the third-party service, making it essential to foster an understanding of how to appropriately handle critical data access.
Another core issue is the difficulty in managing a large number of users. This problem is made more complex by the nature of contract work, which means that new system profiles must often be created and removed to account for different levels of access. It may be tempting for administrators to use broad settings that give all contractors the same amount of access, but this could leave information exposed to a great deal of risk.
Strategies for Improving Contractor Security
Clearly define the roles and responsibilities of third-party contractors in IT security policies. Organizations must recognize that the actions of these workers are just as vital to protecting important assets as the activity of employees.
These policies should include provisions for how much access should be given to contractors as well as how to appropriately handle data (e.g. forbidding contractors from saving organizational information on personal devices).
From there, it’s easier to establish user profiles with the appropriate level of access. It may make sense to establish multiple group profiles for contracts with varying degrees of privilege so that workers are not unable to do their jobs. However, even high degrees of access should come alongside tools for monitoring activity. In addition, it may be helpful to establish automated profile deletion to ensure that access is revoked once a contractor has finished his or her work.
Edward Snowden’s case is a high-profile incident, but it does not take such a widely publicized breach to damage an organization. When contractors are not adequately monitored, organizations are likely giving people more access than they need and running the risk of a data breach.
By ensuring that third-party entities are covered by internal policies and requiring awareness training for both contractors and internal users, organizations can reduce the risk of an insider data breach.