Posted June 3, 2011
When it comes to socially engineered network attacks, it’s often said that your organization’s weakest link is its most uninformed employee.
But that isn’t really true. Your weakest link can often be your most uninformed business associate.
In other words, it’s not simply about what internal employees do online. The behaviors of vendors, suppliers and other partners matter too. Their activity contributes to your company’s “Internet footprint,” a footprint that phishers can exploit to create an intrusion plan to compromise your network. Your organization could be doing everything right. But if there’s a flaw, say, with a law firm it has on retainer, then your otherwise protected data remains vulnerable.
Let’s say, for example, that your company is defending itself against litigation and has hired that law firm for representation. As part of your legal defense, your C-suite execs email to the firm documents relating to product development, regulatory compliance and other sensitive information. Then, the law firm allows interns to review the documents and, after hours, the interns are seeking out music videos via peer-to-peer exchanges and end up clicking on malware.
That’s all it takes for your company’s entire case and all of that confidential corporate information to get exposed to the entire world.
This means your critical data supply chain must be as tight as it can be. Obviously, you can’t pursue 24/7 monitoring of your associates’ network. But you can enter these partnerships with as much information as possible, to determine whether their security policies are aligned with your security interests.
Ask potential partners these questions: How much ongoing training do your employees receive with respect to recognizing and avoiding socially engineered attacks? What kind of pro-active monitoring do you do? Do you deploy any automation tools that can detect questionable online behavior on the network and stop it before it’s too late?
Then you probably want to review their data-transmission methodology. How highly encrypted is data as it’s exchanged? If I send over payroll and social-security numbers of our employees to an outsourced HR firm, for example, can I be assured that the receiving hard drives have encryption capabilities that meet our standards?
These questions are critical in the evaluation process. The information that you’re essentially “trusting” here, after all, amounts to valuable corporate assets. Consider this analogy: If you turned over a treasured family heirloom jewel to a bank, you’d want to make sure that it was placed in a safety-deposit box that could not be compromised. So you should aspire to the same level of vigilance for the information “jewels” that you send outside your organization’s brick walls.
Vice President/ Solutions Assurance, Cyveillance
Question of the week: Have you evaluated the security vigilance of your associated business partners?