In today’s modern enterprise environment, many businesses are outsourcing some or all of their IT responsibilities to third party contractors. Third party workers do not carry the same price tag as a full-time employee so, for organisations looking to reduce costs, it’s proving to be a popular business decision.
Third party contractors are granted access to much of or all of their employer’s critical systems and sensitive data, which can be problematic. They are often overlooked as a potential threat to an organisation. The hiring of temporary employees involves an organisation trusting an outside party with a variety of sensitive information, be it customer or financial data.
Third parties are beginning to reap the benefits of user monitoring for their own activities within the client network, as this way they can prove what they did and did not do.
With an increase in third party employees, many organisations are turning to activity monitoring tools. These tools allow for increased visibility and transparency in order to see in real time who is accessing which files – essentially allowing the employer to monitor what is happening within their IT ecosystem.
So, what are the risks?
Almost all organisations, regardless of sector, are faced with the problem of managing security breaches caused by insider threats. Granting responsibility and access to external IT contractors can arguably be seen as a greater security risk, as it can weaken the protection controls and increases the number of third parties having the same privileges and access rights as employees.
The sharing of administrative accounts and passwords can be incredibly problematic. A generic freelancer account is often used by third party IT employees, which results in organisations never knowing who was responsible for what within the IT system.
Further complicating the matter, IT personnel share access to privileged accounts and also share the passwords to those accounts – rendering the password insecure. This risk greatly increases when an administrator leaves the organisation or changes role, and the shared passwords are not regularly changed.
Additionally, the privileged accounts used by third party contractors are often a more popular target for cybercriminals over full time employees. In fact, some of the most devastating data breaches in recent years have been through third party vendors. In April of this year, it emerged hackers breached the Amazon accounts of several third party vendors using stolen credentials obtained through the dark web to post fake deals for monetary gain.
Another risk involves employee’s trustworthiness. Whilst most employees are responsible, there are always employees that abuse the faith placed in them and contracted administrators are no exception.
An organisation’s data, whether it be their customers’ or a new product design, has a very real monetary value on the dark web – for example, the hack of UK mobile provider O2 saw hackers selling customer data on the dark web after the fact.
Humans make mistakes, and places of employment can be very fast-paced, with the result that staff training sometimes isn’t as sufficient as it perhaps should be.
Sometimes it’s not a malicious insider looking to cause harm, but is a simple case of human error. An inexperienced or poorly trained system administrator might make a configuration mistake that can result in service outages or lost data, resulting in revenue losses and increased costs. In January of this year, a database administrator at GitLab deleted files resulting in service outage.
Tackling the security risks head on
So, with threats coming from all sides, both malicious and unintentional, how are organisations expected to stop their sensitive data from being compromised? In order to mitigate this risk, it is necessary to develop strict safeguards and integrate activity monitoring capabilities when organisations employ third party contractors for their IT tasks.
Firewalls and standard application protection are no longer enough when protecting an organisation against insider threats – by definition, they’re already inside the perimeter.
When trying to reduce the risk of sensitive data being compromised, adopting a holistic view to IT security can benefit the organisation. One approach which organisations are adopting to close the blind spot of traditional security monitoring tools is the examination of a user’s behavioural patterns.
This is carried out through analysing how users interact with IT systems – their technological fingerprint if you will. Users log into the same applications, do the same things while working and access similar data.
These profiles are ‘learned’ and can be compared in real-time to the actual activities of a user to detect irregularities and differences. Once the abnormalities are detected, remediation actions can be applied to stop an ongoing attack or to investigate an event in greater detail.
Malicious insiders have been proven to behave differently compared to normal employees. If a resigned contractor plans to steal company data, real-time user behaviour technologies allow the organisation to detect the abnormal activity. The technology will automatically alert the relevant security team for further investigation.
Through detecting deviations from normal behaviour and assigning a risk value, organisations are able to focus their security resources on the most pressing or important events.
>See also: Shoring up a business’s security defences
It also allows them to replace some controls, which in turn yields greater business efficiency. Many organisations may think the solution is to throw more and more security tools at their network to make their ecosystem more secure, but in reality, this only serves to restrict your hard-working employees.
Having more authentication requirements, more gates and more rules to adhere to when completing their work, will only ever result in a less productive, more frustrated workforce.
Remember, the more technology or tools on your system, the greater the operational complexity for those using them or performing tasks on the network will be. Monitoring technology should be your safety net.
As well as identifying the unusual activities within a system, an organisation’s reaction to unusual activity is also important when trying to significantly reduce the time a malicious attacker has before any remediation measures are implemented.
By utilising different machine learning algorithms which work autonomously, organisations are able to learn about user behaviour quickly and efficiently before too much damage can be inflicted.
Before a major attack takes place, there is often a period of scouting out the target and the strength of its security operations. The swiftness of detection and response to this phase is critical when preventing any further high-impact activity from occurring
As third party outsourcing continues to gain in popularity, the threat of malicious insiders will only continue to grow.
However, with the right security software in place to monitor the activity of these third parties, it is possible to mitigate the risks of allowing access to sensitive data to outside parties, as well as ensure compliance with regulations requiring the careful monitoring of data access.
Sourced by Csaba Krasznay, security evangelist at Balabit