Blog

Your Third-Party Relationships Are Insider Threats

By Antonia Dumas, Associate at XPAN Law Group LLC

Last week, I had the pleasure of attending the inaugural Cyber Security Summit held in Philadelphia. One hot topic that came up during several presentations and panel discussions was the issue of insider threats. As I sat there listening to discussions of more obvious insider threats such as disgruntled or unaware employees, I could not help but think of the various types of third-party relationships that are just as much of a risk to the company as an actual employee. My gut feeling was confirmed when experts discussed the issue of third-party relationships and recommendations that companies should treat and manage their third-party vendors/supplies just as strictly as they would an employee. Agreed!

What Are Insider Threats?

Definitions of an insider (or internal) threat can vary. Generally, a key factor of an insider threat is that the “insider” knows the network and has (or has obtained) credentials to access the network. Somehow activity originates from within the network (i.e. technical, physical or personal) and moves through the system to locate and affect critical assets and/or data.

Insider threats to the security of your systems and privacy of your data can be malicious (intentional) actors or simply unintentional/accidental actors. Malicious (intentional) actors are those that act based on some type of “bad” motive and usually have the goal of extracting or destroying company data (i.e. sensitive, IP, trade secrets, etc). Unintentional/accidental actors provide the highest risk as they are not aware of the extent of potential damage that can stream from their actions whether they: (i) chose to ignore security practices (re-use of passwords, unsecured/public WiFi access); or (ii) were unaware of appropriate security measures (due to lack of training/awareness). Various parties can become insider threats including your (i) employees (i.e. prospective employees, new hires and existing employees, management/administration, and C-suite/board of directors); (ii) independent contractors; (iv) visitors, on premises and on line (via website or social media); and (v) third-party vendors/suppliers.

Treating Your Third-Party Relationships As Insider Threats  

The infamous Target case is still the quintessential example of third-party vendor risk and it seems to always come up in cybersecurity-related discussions and conferences, including at this Cyber Security Summit.  As many are aware, the 2013 data breach came from a “simple” HVAC vendor that was breached via a phishing email and allowed attackers to back their way into Target’s point of sale system. A number of issues have been highlighted regarding this third-party relationship: (i) the vendor was given substantially more access to the system than needed to provide the service; (ii) credentials to access the system were obtained (they were possibly publicly displayed via a handy post-it note at the workstation); and (iii) although suspicious activity triggered an alert, it sat for approximately 9 months without being thoroughly reviewed or any action being taken. The Target breach was unprecedented at that time and originally reported to affect over 40 million people; however, just about a month later it was reported that it could have affected between 70 million to 110 million people. Further, the breach not only affected millions of consumers but also Target’s business partners.

However, Target is not the only case where the data of a business was affected via a third-party relationship. For example, when a third-party vendor was breached in 2017. it triggered a chain reaction that affected companies across the US, including Best Buy, Sears, Kmart, Delta, etc. The third-party vendor (data firm [24]7.ai) became aware of the breach but was reluctant to disclose it to its customers through proper and timely notifications. The third-party had suffered a malware attack around September/October of 2017 which resulted in the disclosure of personal and financial data of millions of consumers, but failed to notify its customers until May of 2018. Now that almost all 50 states have breach notification laws and new data privacy laws (e.g., New Jersey) that are imposing strict timeframes and requirements regarding notifications,  this failure by a third-party vendor to notify the principal could result in the principal bearing the burden of liability.

In general, because third-party vendors/suppliers pose a high risk for any business, third party vendors should be treated/vetted just as much as an insider threat (e.g., your employees). And the same types of security and privacy requirements you require of your employees should be required by your third-parties, or at least at a minimum, you should be aware of the differences and attempt to address risks and liabilities in your contractual relationships. Further, businesses can no longer be complacent, especially when some states are beginning to require proactive action and that businesses mandate reasonable safeguards requirements on their third-party vendors. (For example, NY DFS cybersecurity regulations explicitly requires third-party due diligence in order for an entity to confirm its own compliance.  Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, 23 NYCRR 500 (March 1, 2017)).

Remember, Data is Currency! So Protect It!

Your data is the value of your company and your brand, and therefore, its currency. Preventing risks to IT assets (i.e. databases, file servers, cloud applications/infrastructure, endpoints, networks, business applications, mobile devices, etc.) that give access to, process or store your valuable data should be a priority.  When dealing with insider threats (including third-parties), there is no silver bullet. However businesses can conduct risk analysis, establish security and data privacy management plans, and use a variety of tools to mitigate risk.  

On the one hand, businesses should be aware of the extent of and limits to the access given to third-party vendors/suppliers. Generally, some key steps that can be taken are: (i) locate your sensitive/personal data and critical assets; (ii) identify access to those assets (i.e. who, level and restrictions); (iii) manage and log access to those assets; and (iv) review logs and incorporate findings into controls management. For strong security and privacy management programs, businesses should establish policies and procedures around these steps and include continuous employee training programs.

On the other hand, businesses should ensure that their contracts accurately reflect the third-party relationships, access granted to business networks and systems, and notification requirements. Privacy notices should be transparent about what data is shared with third-parties to avoid situations like Facebook and others.

Remember, when you think about third-party vendor/supplier risk, do not forget to consider the chain of connectivity that goes beyond the relationship between your business and the third-party service/provider as it will include a series of relationships and parties that connect to that third-party’s network systems and applications. Similar to the idea of six degrees of separation idea for social connections, businesses are connected to each other in a variety of ways and therefore so are their systems. For more information about managing third-party relationships (i.e. vendor management programs), check out XPAN’s recent fireside chat video here.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.