Security Experts:

Are You Securing Your Contract Workforce?

Companies Should Adopt Compliance Standards for Their Partners and Vendors

Every business depends on partners. Contractors, agencies, suppliers, law firms, accountants, freelancers and more are all part of day to day life. The business transaction is routine, but the information that’s exchanged has the potential to cause irreparable damage. It’s easy to shake hands and part ways after a job well done, but sensitive information doesn’t secure itself, and it’s critical for every organization to understand where their data is and how it is protected at all times.

In addition to affecting major change on IT infrastructures, mobile, cloud and virtual work environments, a globally distributed workforce has reshaped business and changed the very nature of employment, with an increasingly contracted, connected workforce and partner ecosystem becoming the norm. While the new reality of virtual workers and a global supply chain satisfy business needs, they create major headaches for IT, security and data risk managers primarily because these new groups often exist outside the corporate security perimeter. 

These external bodies generally do not receive internal security training, and at an individual level may not even understand corporate security policies or best practices. Worse, third-party vendors can encourage internal employees to embrace shadow IT (e.g. consumer collaboration applications) over IT-approved solutions that meet security requirements. In many ways, these outsiders represent shadow IT personified – instead of just filesharing tools being outside of IT’s purview, now there are entire cloud workloads accessed through non-managed devices without oversight.

Vendor and Partner Risks

If there’s a silver lining for IT managers, it’s that securing the new workforce can be achieved by following many of the same practical steps that have been used to combat shadow IT. Here are several examples of steps IT departments can take:

Focus on the data

Securing unmanaged devices and information outside the corporate perimeter is a massive and potentially impossible challenge; one that forces IT managers to look at other methods to maintain control. Given the lack of control IT has over outside physical devices, the logical solution is to focus security around the data and applications which are accessed by mobile or external users.

While IT has no control over what third-parties or employees do on their own devices, they can control how they access data on approved applications; put data access or protection controls in place so sensitive data can’t be accessed by third party vendors/contractors from their devices; and monitor access to shared data and applications so suspicious activity can result in access being revoked at any time.

Security training is not enough to stop careless employees

Not all data is created equal, and in a well-designed information protection strategy, not all data is treated equal. 

Internal employees have a key role to play in ensuring data is appropriately used externally, and education programs can equip staff to understand the risks when data leaves the security perimeter.  Employees generally receive this type of training, but the stakes are higher when it comes to vendors and contractors. However, even with great training, people make mistakes so deploying technology controls to restrict access and sharing, or to apply strong protection leads to a consistent, low risk workflow.When properly governed, the use of applications in data to supply strong protective controls. 

Oftentimes sensitive information, such as financials, intellectual property or other customer data, needs to be shared with trusted third parties. In these cases, using an IT-approved fileshare or applying  data protection controls provides the ability to revoke access and remotely delete files when necessary. 

Keep in mind, third-party vendors or consultants may not adhere to organizational policy, and someone who works for one company today can move on to a competitor tomorrow. Risk management along with data security controls that allow for user access to be set, monitored and even revoked are a must when engaging outside third-parties, consultants and contractors. 

Extend compliance and security controls beyond employees

PCI, HIPAA, SOX – there are enough compliance laws and acronyms out there to make even the most well-schooled employee’s head spin. Add GDPR into the mix for multinational firms, and the compliance picture becomes even more difficult. And, while internal employees go through training and certification to ensure they understand these rules, there are no guarantees that others understand the rules, or even know they are required to follow them.

Employees need to understand if data shared with outside partners is subject to specific regulatory requirements while being compliant, and if so, how to securely share that information with low risk. Additionally, companies should adopt compliance standards for their partners and vendors, and ensure that basic education is done before allowing access to any regulated information.  

To help staff and third party partners understand whether data is sensitive, technology such as data loss prevention or data classification can provide an automatic and visual prompt to users (e.g. warning a user before an email is sent that sensitive data is attached, or applying a watermark to documents to remind the user it contains private data). Adopting such an approach will allow organizations to ensure that data protection standards and policies are understood and can be acted on effectively.

Action planning

These issues are complex, but can be dealt with if approached strategically. Organizations hoping to address these issues can take these five steps:

Data discovery: Do you know where your data lives?

1. For data in your managed environment, taking advantage of technologies that can identify sensitive data at rest, in motion and in use across a variety of channels is critical. These data loss prevention technologies help organizations monitor the location and flows of sensitive data, before deciding on the appropriate data management policies, staff education and protection strategy.

2. Get a handle on shadow IT and shadow data at the cloud application level, identifying and managing the use of those applications as employees engage with them. Gaining visibility and control into what employees are using outside of IT’s purview is the first basic step toward preventing sensitive data from leaking into those channels.

Data Protection: Do you have visibility and control over your data when it’s shared with remote employees, contractors, partners, or vendors?

3. To ensure that only the intended user has access to sensitive data, combining encryption, digital rights management and user authentication has powerful benefits. Such an approach is truly ‘information-centric’ in that the protection follows the data, with the sending organization retaining control over who has access and even to what extent. Using identity to decrypt files provides visibility to access, as well as controls that allow access to be revoked at any time in the future, irrespective of where the file resides. Use cases such as this were outside the reach of technical organizations in years past, however they are a must in today’s cyber security landscape. 

4. Multi-factor authentication provides a very effective defense against account takeover.  This technology greatly strengthens security around data access, without the difficulties of complex and rotating password policies. Combining this with single sign-on delivers users a simple and secure access experience.

Regulatory compliance: Do your users understand the variety of requirements that need to be satisfied to meet your compliance obligations?  

5. Using automated data discovery and protection allows organizations to deploy a well-considered and consistent approach, without requiring each employee to become an expert. It also eliminates the risk of human error that is higher when dealing with complex policies.  The same technologies used to track sensitive data can be used to discover, monitor and protect compliance-related data.  The inclusion of default policy and report templates make it simple for data administrators to confidently find regulated data, and to then develop data handling policies to ensure that data remains protected and compliant. 

So, while a contract, distributed, partner-oriented workforce and supply chain can create serious risks to your organization, careful implementation of visibility and data protection strategies can help you mitigate many of the risks.

view counter
Bradon Rogers is SVP of worldwide sales engineering and product strategy for Symantec’s Enterprise business. Rogers leads the pre-sales teams including Symantec’s worldwide sales engineering, product marketing, and sales enablement functions. From 2015 to 2016, he served as Blue Coat’s senior vice president of product strategy and operations. Prior to Blue Coat, Rogers was senior vice president of product and technical marketing at Intel Security. Prior to Intel Security, Rogers was vice president of worldwide sales engineering at McAfee. Rogers holds a B.S. from Auburn University.
Previous Columns by Bradon Rogers: