Defending the Perimeter Against Insider Threats

You are responsible for your partners data breachesOrganizations today are fluid and mobile.  Statistics show that an average worker remains in their current job just under 5 years.  Advances in mobile technology have changed how and where we work.  Having a smart phone, tablet and laptop let people work anywhere and at anytime.

Mobility of devices and people make it challenging for an organization to identify its perimeter.  Defining and securing the perimeter of a physical building is straightforward.  Doing that for your network and your data is something else.

When most of us worked inside a building and used computing devices provided by the company, it was easier to control access to information.  You defined your network by a firewall and allowed VPN access for employees outside the building.  As long as people were on your network you could control access to data and documents. Today people use mobile devices and companies have BYOD policies that extend the organization’s perimeter to anywhere at anytime.  We also have the challenge of greater turnover in the workforce which makes it harder to control the dissemination of information.

Since business is built on relationships, sharing data and documents with business partners is a daily activity.  Whether it’s a design company sharing a drawing with a manufacturer or a financial services company sharing merger and acquisition documents, all of us share information both inside and outside our companies.  Does this mean your data security perimeter encompasses your partners?  Yes it does and in fact you can be liable for mistakes made by your business partners.

Changes in the HIPAA regulations make a company responsible for data breaches of business partners.  This means you need to worry about the security practices of any company in your supply chain.

Here is a recent example from Los Angeles.  Someone broke into the offices of Sutherland Healthcare Solutions and stole some computers.  This company provides billing and collection services for Los Angeles County medical facilities.  The computers contained the names, Social Security numbers, medical and billing information, birthdates, addresses and diagnoses of about 170,000 patients.  Sutherland also handles billing and collections for the county’s Department of Public Health.

Another incident involving lost personally identifiable information (PII) by a partner occurred in NH.  A company who manages retirement plans for EMC inadvertently emailed a spreadsheet to the wrong people.  It had hidden columns with names, Social Security numbers and addresses.  The sender didn’t realize it contained sensitive information until it was too late.

In both cases, the owner of the PII is responsible and liable.  EMC had to notify the NH attorney general, send letters to the affected people and pay for credit monitoring services.  The company may also have to deal with a tarnished brand, loss of trust and even potential lawsuits.  The breach in Los Angeles is still new, so we have to wait and see on the consequences.

So who is an insider and where is the perimeter?

The definition of an Insider extends to contractors and consultants you engage for specific projects.  It also includes business partners that have access to your sensitive information.  Don’t forget your own employees, who could leave tomorrow and take important information with them.  The perimeter is now anywhere and on any device, many of which you don’t control.  When you share information, the recipient could put it anywhere and share it with anyone.  You can’t control that by conventional means.  You need something that guarantees that you control access to that information regardless of where it is.

Using a data-centric security approach is the only way to protect your information.  You control who can access it and for how long, regardless of location or device.  Since relationships don’t last forever, you can kill access to your documents with the click of a mouse, once the relationship ends.

People are now the perimeter.  Control their access at the data level and you have solved the problem of insider threats and data breaches.

 

Photo credit Eric Fischer

Leave a Reply

Your email address will not be published. Required fields are marked *