The breach at US retail giant Target was an example of when third-party access becomes a problem. Around 70 million customers had credit card data stolen as cybercriminals installed malware in the firm's payments systems. According to research by analyst firm Ovum, some 88% of companies have at least one third-party with access to their IT networks.
"The breach at US retailer Target in late 2013 was revealed to have occurred via one of its contractors that had access to its billing system," says François Amigorena, CEO of IS Decisions. "When we talk about insider threats and internal security, we don't just mean the immediate set of current employees, but anyone that might have some kind of legitimate access to systems and data."
He notes, though, that there are ways to mitigate these risks. Amigorena adds that user training is an excellent place to start, as educating your employees on what constitutes good and bad security behaviour decreases the chances of an accidental breach. "Technology can help too, with a sophisticated toolset that strengthens all employees' login security to prevent unauthorised access to enterprise networks. It can also underpin training and security policy to further disseminate good behaviour," he says.
Stuart Facey, International Vice President at Bomgar, says that when implemented and managed properly, remote access is secure. "The recent changes in PCI DSS 3.0 compliance reinforces some key guidelines to ensure that third-party access is as secure as internal network security. This change also makes it clear that responsibility for security remains with the retailer, rather than only being on the outsourcer," he says.
As mentioned by Amigorena earlier, training staff on the risks to infrastructure is important, especially new employees, according to Oscar Arean, Technical Operations Manager at Databarracks.
"Existing employees should also get yearly 'refreshers' to ensure their knowledge is up to date. We need to work to create a cyber-security culture within our organisations where education is encouraged," he says.
"In the same way that we have processes in place to protect our physical assets, like conditioning our employees to follow the correct lock-up procedure in the office each night, we need to extend it digitally, too."
Know your limitations
It is not only about training but also about knowing what your limits are. According to Eddie Schwartz, Chairman of ISACA's Cybersecurity Task Force, organisations must develop a stark sense of reality about what they can and can't do well in terms of cybersecurity.
"Security leaders must revisit the organisational structure and the skillsets of their security and IT teams that have any responsibility for securing information assets. They must evaluate their core competencies and where they may need to outsource skills," he says.
He adds that it's common knowledge that the bad guys share information freely and across borders, so it's critical for the good guys to have more opportunities to share information and intelligence about current attack techniques and emerging threats.
"Creating effective collaboration forums can help alert companies to the latest threats and help them identify the right solutions and service providers."
He adds that it is critical that security practitioners understand the relationship between their organisation, its people, its IT assets and the kinds of adversaries and threat actors they are facing. "It's no secret that organisations of every size are at risk of malicious attacks like the one Sony recently fell victim to, but by taking action now, businesses can greatly reduce the risk of becoming the next victim," Schwartz observes.