Employees and Third Parties and the Risks They Pose
For any number of reasons, be it active intent or, less maliciously, ignorant blunder, employees continue to be one of the weakest links in the data security chain. When that person works for a third party business associate, the risk is compounded, since an organization has even less control and awareness of their actions. I’ve said this before, and now incidents centered on the mistakes of third party contractors are appearing more frequently in the news.
They are responsible, most recently, for both breaches at certain hospitals and, of all things, the U.S. Navy. For the former, a number of hospitals reported information breaches after such an employee, working for a business associate, downloaded a host of patient data to a flash drive without authorization. The compromised information included patient names, birth dates, addresses, phone numbers, diagnoses, medications, patient identification numbers and physician names. Affected entities, naturally, had to notify those put at risk.
Likewise for the Navy breach. An employee of Hewlett Packard Enterprise Services, working under contract with the Navy, possessed a compromised laptop that served as the access point for the attacker. Whoever the culprit, they accessed the data of 130,000 sailors recently, including Social Security numbers. The Navy has since begun insisting that Hewlett Packard pay for credit monitoring services for the affected servicemen.
Both incidents highlight the risks brought to an organization by third parties and their devices: devices that are also used in a number of other environments, and may not possess sufficient security against all the threats this entails. A compromised device thus becomes an infected vector when introduced into an infrastructure like the Navy’s.
Insider errors continue to be a major cause of breaches. A recent report from the Identity Theft Resource Center told that this year had already seen 901 incidents, compared to 781 in 2015. Black Friday and Cyber Monday recently only increase the vulnerability of people’s data, as sales records continue to be made. As the National Association of Federal Credit Unions President and CEO Dan Berger said in a statement: “millions of consumers have already had their information compromised, yet retailers continue to resist critically needed national data security standards…With this void in protection, every retailer’s sale sign is a welcome sign for cybercriminals and a hazard for consumers who may unwittingly fall victim to a retail data breach.”
Amid such a landscape, there is no room to take a lackadaisical approach to maintaining solid staff training, as well as ensuring their associates’ security practices are up to snuff. It is crucial to mitigate the risks as much as possible.