When it comes to protecting sensitive data, companies often overlook the risks stemming from business partnerships. But the risk is real and growing. Last year, about 39 percent of external breaches were business-partner-related, according to the recent Verizon Data Breach Investigations Supplemental Report. That’s up from “almost none” just a few years ago, says Bryan Sartin, Verizon’s director of investigative response.
Partnership risks are the “fastest growing” data breach trend, he says. Sartin, who conducts computer forensic investigations, says the growth stems mainly from business-support partnerships, as opposed to more formal, business-to-business outsourcing relationships. Such supportive partnerships can include groups of consultants, companies that pick up and store data tapes, and firms that help with IT maintenance and repair.
A growing number of hackers are approaching support-company staff in efforts to buy data such as user names and passwords, Sartin says. “[Hackers] might say to those they approach, ‘If you don’t like your company or are having financial difficulties, we can help.’”
Sartin says he has seen a significant increase in the availability of such data in online criminal marketplaces. User names and passwords can allow criminals to access data with little technical sophistication, he says. And the use of legitimate login credentials can often avoid raising suspicion.
To minimize the risk, companies should take a holistic approach to partnership security and take some immediate steps to strengthen access control policies, say analysts.
Companies should boost accountability surrounding partners’ access, Sartin says. He says that when he speaks with companies that have suffered data breaches via partners, they will often tell him that there are rules about what those partners’ staffs have to do to gain access, such as filling out trouble tickets or other forms. But a little investigation reveals that access is frequently possible “at any time.” Companies should only grant access to data when strictly necessary, he says.
Another good practice is to ensure that partners are given one-time passwords with clear accountability, says Sartin. But it’s also important to follow through and be sure to deactivate those passwords after the authorized use, he notes.
Before beginning any partnership, companies should take a few critical administrative and policy-oriented steps, according to a recent Gartner report. For example, the contract should address breach-related liability.
Companies should also conduct a risk assessment, according to Gartner. One approach could include ranking partners by risk, taking into consideration factors such as the criticality of data and business volume. Different risk levels could create different requirements. At lower levels, partners might only need to produce proof that they are in compliance with major regulations. Higher levels could necessitate an on-site inspection or a third-party security assessment, the Gartner report recommends.
Based on risk, companies might also stipulate requirements for partner employees. Some jobs could require that employees have specified credentials or pass background checks.
Partners’ risk status should be regularly monitored, Gartner advises. Appropriate parties, such as business unit managers, should receive ongoing updates.
Companies should also periodically audit data logs for signs of inappropriate activity that might indicate attempts at data theft. Many companies avoid looking at the logs, says Sartin, because the information can sometimes appear overwhelming or hard to read. But newer tools make the job more manageable, he says.