My colleagues, Ron Raether and Scot Ganow, as part of our firm's ongoing collaboration with NetDiligence and the eRisk hub, recently wrote a white paper on the basics of security in depth, entitled, "Traitors in Our Midst: The Risks of Employee, Contractors and Third Parties in the Age of the Internet of Things and Why Security in Depth Remains Critical to Risk Management."Here are some helpful excerpts from the paper.
1. People
Even the best designed and robust technological security measures can be compromised by its users. People within a company have access to data and systems that can impact security well beyond their office space or assigned job responsibility. The infamous Edward Snowden was a civilian government contractor to the NSA, one of hundreds, maybe thousands. The Target breach may very well have begun in the hands of an unknowing utility service provider having authorized access to Target's system. Indeed, a company’s greatest resource is its people and its business relationships. Conversely, they also present the company’s greatest risk.
Contractors are used extensively in meeting workforce demands. A company should have policies of varying degrees to manage the risk associated with contractors (non-employees), to include what work is reserved exclusively for employees and what can be assumed by contractors. Many of these ideas we vetted in 2008 when focusing on how to hire a firm to assess the sufficiency of technical security controls.
Whether a company directly hires independent contractors or through a contracting (staffing) company, the policies should include background checks, access permissions, policies and contractor agreements. Such agreements and policies should include clear requirements for what is acceptable and unacceptable work practice and use of information. The agreements with the contractor or staffing company should also include information security contract provisions to clearly establish the acceptable/unacceptable policies regarding information review and dissemination by the contracting employee. Furthermore, a company should demand that contractor companies and independent contractors comply with the same security framework imposed within the company. The third-party also should be obligated to assist in mitigating any harms resulting from a breach or other act by the contracting company or its personnel. Lastly, where appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits.
Finally, employees can be just as much, if not more, a risk as contractors and service providers. The obvious security protocol is for companies to have clear policies and procedures for all employees. But this is not enough. A company must actually regularly train and audit compliance with those policies and procedures to make sure employees not only understand but also comply with the security measures. Companies must maintain an active employee training program with an ongoing awareness program, which includes reminders and updates on new or emerging threats to company information security. Companies must see information technology as part of their business, rather than just a resource, and information security must be fully integrated with daily employee duties to successfully address threats at all fronts.
2. Data Governance
Before employees, contractors and other third parties can help to manage a company's risk accordingly, a company must set forth its requirements in written policies. A data governance policy is a documented set of guidelines for ensuring the proper management of a company's digital information. A data governance policy is a living document, and it must be flexible to quickly adapt in response to changing needs. Without a written expression of a company's expectations, to include the manner in which it will collect, store and use personally identifiable information, a company cannot reasonably expect its employees and business partners to likewise meet those expectations. Furthermore, when a breach occurs, regulators and law enforcement will have an easier time understanding a company's efforts to properly assess and manage risks to information with written policy and supporting procedures in place. This is especially true in regulated sectors such as healthcare, financial services and with publicly-held companies. After a breach occurs and litigation ensues, a company's ability to demonstrate that is has current and substantial policies and procedures may help to mitigate, to some degree, potential liability. However, companies must grasp the idea that written policies are not an end, but only a means to information security.
3. Technology
Any layered security program must include and account for the benefits and risks associated with technology. Use of technology to safeguard company data as part of a layered information security program should likewise balance the technology with the business model and its associated risks. Mobile devices, office wireless networks, and remote access to company servers all play a key part to the ever-expanding virtual "office" space to increase efficiency and flexibility. Companies must balance the benefits of technology with appropriate enterprise risk management to isolate and minimize any security threats, as well as mitigate any resulting harm. Information technology “doors” should be locked and monitored the same way as those to any office suite. Centralized control is essential.
Perimeter defense and access controls (similar to a wall and moat around a castle) should include a barrier between the bad guys outside and the valuable data inside, but they also should provide a line of demarcation along which companies can load up resources and focus their attention. Firewalls are a first line of defense and common component of any layered security approach. Companies should also consider implementing intrusion detection systems, routing technology, and credential controls for a robust perimeter defense.
To keep abreast of corporate enterprise risk, companies should also implement oversight and surveillance technologies. Such technologies, if implemented and maintained, can not only provide intelligence to provide short-term notice of a potential risk, but they also provide long-term systemic reporting capabilities to assess ongoing performance issues and opportunities for improvement. System and information monitoring software, audits and logging of activity, and data backup all help support a full layered approach to information security.
Summary
In the end, companies need to understand how internal threats and company personnel can affect data security and information privacy. Companies should implement security through a multi-layered approach, while understanding what information can be shared across different internal business sectors. A company needs to understand and communicate its information management practices, make sure employees and contractors comply with that understanding, implement and enforce policies, and communicate openly and honestly with their business partners and customers. Companies must also account for how the evolving connectivity enabled by the "Internet of Things" changes and impacts privacy and security. Doing so puts a company in the best position possible to respond to a breach when (not if) if happens.