Watch Your Business Partners

By John Wagley

When it comes to protecting sensitive data, companies often overlook the risks stemming from business partnerships. But the risk is real and growing. Last year, about 39 percent of external breaches were business-partner-related, according to the recent Verizon Data Breach Investigations Supplemental Report. That’s up from “almost none” just a few years ago, says Bryan Sartin, Verizon’s director of investigative response.
Partnership risks are the “fastest growing” data breach trend, he says. Sartin, who conducts computer forensic investigations, says the growth stems mainly from business-support partnerships, as opposed to more formal, business-to-business outsourcing relationships. Such supportive partnerships can include groups of consultants, companies that pick up and store data tapes, and firms that help with IT maintenance and repair.
A growing number of hackers are approaching support-company staff in efforts to buy data such as user names and passwords, Sartin says. “[Hackers] might say to those they approach, ‘If you don’t like your company or are having financial difficulties, we can help.’”
Sartin says he has seen a significant increase in the availability of such data in online criminal marketplaces. User names and passwords can allow criminals to access data with little technical sophistication, he says. And the use of legitimate login credentials can often avoid raising suspicion.
To minimize the risk, companies should take a holistic approach to partnership security and take some immediate steps to strengthen access control policies, say analysts.
Companies should boost accountability surrounding partners’ access, Sartin says. He says that when he speaks with companies that have suffered data breaches via partners, they will often tell him that there are rules about what those partners’ staffs have to do to gain access, such as filling out trouble tickets or other forms. But a little investigation reveals that access is frequently possible “at any time.” Companies should only grant access to data when strictly necessary, he says.
Another good practice is to ensure that partners are given one-time passwords with clear accountability, says Sartin. But it’s also important to follow through and be sure to deactivate those passwords after the authorized use, he notes.
Before beginning any partnership, companies should take a few critical administrative and policy-oriented steps, according to a recent Gartner report. For example, the contract should address breach-related liability.
Companies should also conduct a risk assessment, according to Gartner. One approach could include ranking partners by risk, taking into consideration factors such as the criticality of data and business volume. Different risk levels could create different requirements. At lower levels, partners might only need to produce proof that they are in compliance with major regulations. Higher levels could necessitate an on-site inspection or a third-party security assessment, the Gartner report recommends.
Based on risk, companies might also stipulate requirements for partner employees. Some jobs could require that employees have specified credentials or pass background checks.
Partners’ risk status should be regularly monitored, Gartner advises. Appropriate parties, such as business unit managers, should receive ongoing updates.

Companies should also periodically audit data logs for signs of inappropriate activity that might indicate attempts at data theft. Many companies avoid looking at the logs, says Sartin, because the information can sometimes appear overwhelming or hard to read. But newer tools make the job more manageable, he says.


Partner Security

I have to say that this absolutely vital to securing your information. It dosn't matter how much you keep under lock and key--if you do not check and vet your partners thoughly then people you don't directly control will have access to their information--and they don't care about your business. Always, always, limit your partners access to that which is immediately necessary and make certain all access expires within a day.

There are possibilities that

There are possibilities that our business partners may steal sensitive data from our company & provide them to another company...

There are many cases happened till now that the partner has backstabbed Another partner & the Company or the firm has become bankrupt.There are many risks to start a new partnership firm & the first one is trust on partner this is seen many times that partner sometimes share the secrets or his firm to another firm in order to gain sime load of cash.

Great tips, i think this is

Great tips, i think this is very important to give attention to this other wise it coud become a serious problem.
Nick from Franking Machine

Hello, I just started


I just started working at a university for my BA and safety management. The thing is I have no idea what I can do with this degree after graduation. If anyone can help me by suggesting some good races I can do now would be great.



Steven B Dodge

 The approach shared by

 The approach shared by Uganda Telecom and other regional players looking to achieve first mover advantage in their respective markets. The capacity purchase by Uganda Telecom on the SEACOM network will dramatically modify the local Internet market and we look forward to a new era of true broadband across the region. Thank you.

High speed internet could be a cornerstone of rapid social development in Africa. It would be interesting to create an NGO specifically for hosting sites in these areas, along with overseas insurance to allow volunteers to travel and bring inexpensive laptops.

IT Security

I work for an outsourcing  <a href="">IT Support</a> company which implements security measures which back up points made in this article. Security is very important to prevent your system being vunerable to data mis-use for one!



IT Security

 IT security is hot topic in this day and age with the ever increase of computerised data. As an IT Support company ourselves we have procedures in place to ensure security is applied to any network structure to rest a sure that our clients data is kept safe. Prevention is the best cure and some of the points made in this article are very strong to allow this.




it support security

I work for an IT Support business and we too have security procedures in place which support what has been said in this article. We have had troubles in the past with our business partners and we have prevented any further problems with future partners by following these steps.


The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.