No-one likes a third wheel
Building plans/schematics and security details were recently stolen from the Perth Airport computer systems by use of a third-party access point, highlighting the need to review, monitor and set up appropriate security protocols and access rights for third party staffers and vendors.
We’ve seen it all before, of course – albeit from a slightly different angle, with Massachusetts General Hospital back in 2016. Its dental institution had patient data exposed due to a flaw in its third-party system, over which it had no responsibility for updating or maintaining – and therefore no ability to protect itself because it did not control the system or its functions.
So then – external vendors present a risk, as do third-party staff members – but to be frank, the individual responsible for the attack on the Perth airport could just have easily stolen the access codes of a full-time employee and enacted the same ploy.
Of course, both of these eventualities are as plausible as one another and such incidents appear increasingly inevitable. Indeed, as long as there are those who seek ill-gotten gains and use the internet to trade in data, any method of exploitation available will be used and manipulated.
Without trying to sound like a broken record, as I’m sure you’ve heard it all before, here are some pointers individuals and companies ought to think about to lessen the risk to their organisations:
1) It’s critical to maintain periodic monitoring of the on-going actions of any third-party individual brought into the company.
Be they consultant, temp or project worker – monitor anyone with access to sensitive information. Of course, the same could be said of all employees, but for large organisations that’s simply a costly and rather overbearing precaution. We’re talking best practise here, not impractical solutions no one will ever implement.
Also, it goes without saying – ensure to remove ALL access rights as soon as the project is over and, if possible, conduct a retro-active review of their actions whilst operating inside your systems as a safety-check.
2) Data should not be made freely available to all members of an organisation.
As is common practice in the majority of large companies these days, segregate your data (especially the sensitive stuff) and only allow access to those who need it in order to carry out their function. An employee on the front desk probably doesn’t need access to sensitive HR files – and if they have them, perhaps it’s time to consider revising your data segregation policies.
3) Have codified contractual agreements with all third-party tech providers to ensure their continuing obligation to notify you of any breaches – and vice versa.
Trust is a two-way street after all, and transparency suits both parties far more than any other alternative.
4) And finally, take a moment to review the security history of your providers.
Data security is not just an in-house effort… unless you build, manage and maintain 100% of your stack. Any company you choose to do business with is a potential vulnerability and choosing partners with a solid track record and existing security procedures will only serve to lessen the odds of something bad happening. Simply put: do your due diligence before selecting a vendor, contractor or anything else for that matter.