Americans were taken aback recently when it was announced that the National Security Agency had obtained years of electronic data from calls made by cell phone customers. The person allegedly behind the leak has been identified as 29-year-old Edward Snowden—an employee of defense contractor Booz Allen Hamilton.
Snowden, called "one of America's most consequential whistle-blowers" by The Guardian, is allegedly responsible for handing over material from the NSA to show what personal information the U.S. government has been obtaining.
Booz Allen said it was "shocked" by its employee's data breach, The Wall Street Journal reported. The breach could have serious implications for the company, which earns nearly all its revenue from government work.
While the news of the breach shocked the nation, it also highlighted the importance of data privacy and security. This is an issue that is becoming increasingly important for businesses across America, especially those that employ the help of third-party vendors.
Third-Party Security Risks and How to Avoid Them
The NSA case illustrates the risk and danger of insider threats when one individual who has been given the mantle of trust goes “off the wire.” This is very similar to the case of the Bradley Manning case, a young military intelligence private who leaked sensitive and confidential data to WikiLeaks. Both Snowden and Manning claim altruistic motives for violating trust and endangering national security. Breaches of this nature, committed by vetted and trusted individuals, are among the most difficult to control. In the Snowden case, much is being made of him as a civilian contractor or third-party vendor. But the larger issue with both Snowden and Manning is that they're both insiders. Insider access to data is a threat scenario that needs to be carefully considered and controlled.
Beyond deliberate acts, there is another insidious threat to the security of sensitive data—nonintentional compromise or disclosure by simple errors, mistakes and/or negligence. Our experience demonstrates that a number of companies go to great lengths to protect their data within the confines of their organization but fail to adequately vet, manage and continuously audit outside companies to whom they trust and extend sensitive data. A high number of data breaches are due to mistakes by third-party vendors, proving why it's important for companies to take action to prevent such an event damaging their reputation.
A Ponemon Institute study released last year showed that third-party vendors account for about 19 percent of data breaches a year - more than cyberattacks (7 percent) and failure to shred confidential documents (6 percent).
Third-party data breaches can be costly (nearly $1.05 million), according to the study. To avoid having to pay for these costs, and for taking responsibility for the event, companies that employ third-party vendors must create clear security policies regarding liability for data breaches—putting the third-party vendor at fault in such an event.
Other Smart Steps to Lower Data Breach Risk
A business that entrusts data to an outsider company still maintains responsibility for the protection of that data if it is lost, stolen or compromised. While covering your tracks when conducting business with a third-party vendor is a good idea, there are also some internal steps a company can take to protect itself from a data breach.
Strategically, there are three fundamental risk mitigation areas that must be addressed when engaging third-party contractors:
- Contract requirements
- Initial due diligence, audit and governance.
It is critical to put in place appropriate contract language that clearly:
- Provides protection and control requirements for entrusted data.
- Requires immediate notification and investigative access in the event of a known or suspected compromise
- Discusses liability for expenses attendant to the breach
- Requires adequate insurance to be put in place by the vendor that covers the various threats to the entrusted data.
- Second, beyond the vendor’s insurance coverage, the business that owns the data needs appropriate insurance coverage for its internal needs as well as an understanding of coverage—if any—should a contractor or third party lose the entrusted data.
Third, the company needs to do appropriate initial and ongoing due diligence to insure the vendor being entrusted with the data has appropriate mechanisms in place to protect the data; responds if necessary to a security event; and has the financial and operational wherewithal to withstand the consequences of an event.
Tactically, there are a number of things that the company and the third-party vendor can do to mitigate risk. Some of the lower hanging fruit that can represent major pain points are relatively easy to implement.
For instance, limiting the number of mobile devices at the firm and enacting a centralized mobile device management program that includes things like the enforcement of strong password protection, content encryption and remote disablement/content wiping will decrease the chances that sensitive company information is lost. Mobile devices are smaller than company laptops or computers, but can contain just as much data. Smartphones are easier to lose, however, meaning that data could end up in the wrong hands.
Encrypting sensitive data is recognized as a smart idea to protect mobile phones, laptops and other portable storage devices like flashdrives. In fact, encrypting all company information, not just that on smartphones, is a wise choice. If the information is encrypted, it will be difficult, if not impossible, for hackers who access a company's system to make sense of it. In most cases and state jurisdictions, encryption is the difference between a major breach requiring regulatory reporting, notification of the impacted population and significant attendant expense or simply the loss of a physical device with no informational value.
Brian McGinley is chief executive officer of IDT911 Consulting.