Enterprises throughout the world are worried about their identity management and governance not only because they fear external threats, but internal ones as well. 90% of enterprises fear an insider threat, whether deliberately malicious or unintentional from ignorance, according to a recent study. And with the increase in phishing attacks and some studies indicating that malicious insider threats might outnumber accidental ones, those worries do not seem entirely unjustified.
But what if the greatest internal threat is not from your employees but from the vendors you hire to handle issues your employees can’t? We spoke to Kurt Long, CEO of FairWarning, about the oft-ignored issue of third-party bad actors and how they constitute a different kind of insider threat, edited slightly for readability.
Solutions Review: Before the interview, you mentioned that there was an epidemic of bad actor contractors and third-party vendors capitalizing on enterprises’ weak points. What does this insider threat epidemic entail and how extensive is it?
Kurt Long: Due to the increased interconnectivity of modern business, an organization’s network spans over a greater area than ever before. From cloud based vendor and partners to third-party contractors, a business network can be viewed as a web. The role of security was once to secure data within [the corporate] infrastructure, which required a “perimeter “approach to security. Now, data must be secured from both internal and external attackers who can gain access to sensitive company data from the cloud or on mobile devices. Furthermore, the availability of “crime-as-a-service” has risen, giving bad actors the ability to, relatively easily, sell data on the dark web for monetary gain.
SR: Who are these bad actor contractors and third-party vendors? Are they similar in any way (called to do similar jobs or working in similar fields)? Why are they being hired?
KL: Third-party vendors and contractors are considered insiders in your network. 60% of attacks are caused by employees inside your organization with 44.5% being malicious and 15.5% being inadvertent actors. The third-party bad actors may or may not intentionally cause a breach, but if they have weak security measures then they are a target for cybercriminals to exploit.
SR: Can you provide major examples of bad actor contractors and third-party vendors causing a data breach?
KL: Some of the largest and most infamous breaches are caused by third-parties. Target experienced a breach via third-party vendor when cyber attackers compromised a vendor and infiltrated Target’s network, gaining access to over 40 million user accounts. [The] Yahoo! breach, where all 3 billion users were affected in 2013, was [also] caused by a third-party.
SR: Are there any identifiers of bad contractors that enterprises can use during the hiring process to prevent these attacks?
KL: Mitigating risk against bad contractors before they are hired mostly involves research: ask for references, ensure that they sign a Business Associate Agreement (BAA), and ask questions to investigate how secure their processes really are.
SR: How are bad actor third-party vendors getting away with these breaches? What are the biggest security weaknesses enabling them to do so?
KL: A 2017 Ponemon Report on Data Risk in the Third-Party Ecosystem found that 56% of businesses reported experiencing a third-party data breach in the last year. Businesses who don’t have an overarching view of their data can give third-party vendors and contractors too much permissions access – allowing them to access sensitive data. Furthermore, without proper user activity monitoring, access to this data can go completely unnoticed.
SR: So how do you stop a contractor from plugging in and walking out the door with sensitive data?
KL: There are tools and processes every organization should take in dealing with third-party vendors and contractors:
- Have a proper view of where your most sensitive data and who has access to it.
- Have all vendors sign a BAA
- Assess the security of your vendors. Have vendors perform a technical scan to analyze their network for vulnerabilities.
- Most importantly, you should be monitoring access to your data. You should know who is accessing what data inside your network. Specifically, apply monitoring to third-party contractors and monitor at the depth necessary to identify unusual behavior.
SR: How are organizations using automated threat technologies (such as insider intelligence, employee behavior monitoring and analytics) to mitigate bad actors and insider threats?
KL: Organizations are using use activity monitoring and user behavioral analytics to monitor user behavior and provide insights into who, where, why, when, and what insider, including third-party contractors, are doing. These technologies can monitor for unusual login-activity, data exfiltration, changes in permissions, or login-as activity that may be associated with malicious behavior.
SR: What other measures are necessary to prevent and mitigate these kinds of attacks?
KL: Employees are either the greatest vulnerability to an organization or the best line of defense. Implementing a culture of security and accountability will help secure your organization. The idea is to move towards preventing security issues rather than discovering problems when the damage has already been done. Training through LMS (learning management systems) systems on your acceptable use policies, monitoring technology, current cyber threats, and sanctioning will aid in defining a strong culture of security.
Thanks again to Kurt Long of FairWarning for his time and expertise!