Do You Know Your Company’s Weakest Security Link?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itbusinessedge.com/blogs/data-security/do-you-know-your-companys-weakest-security-link.html

An interesting article in Fortune this morning covered a round table of
security and technology experts who discussed the biggest threats to
businesses. Stephen Gillett, Symantec’s chief operating officer, said there
were three types of threats: script kiddies, organized crime and
state-sponsored. In my opinion, he forgot a few, like hacktivism, which I
think he includes with script kiddies, though hacktivism needs to stand on
its own as one of the most serious threats to business operations.

The panel also raised what I think is a very important question: Do you
know your company’s weakest security link? Yes, they talked about insider
threats and how they are underestimated in relation to outsider threats:

"It’s more likely that an employee doesn’t realize the value of the data
access they have, even if they’re a low-profile employee."

Whether an innocent mistake or a purposefully malicious act, employees can
cause a lot of security-related damage to a company. And insider threats
have gotten more attention in the recent past, thanks in part to Edward
Snowden, even if businesses still aren’t taking the threats seriously
enough.

That still isn’t the weakest link in the security chain, though. The
security problem we tend to either forget about or ignore is the
third-party contractor. A service provider was the cause of the recent AT&T
breach. An HVAC contractor is thought to be the reason behind Target’s
breach. Said Norman Menz, CTO and co-founder, Prevalent, in a release:

"Third-party data breaches, threats and vulnerabilities are rising and
putting tremendous pressure and responsibility on CIOs and IT professionals
tasked with securing organizational information. As such, third-party risk
management is a must-have technology for data-driven businesses – not only
for compliance and regulatory purposes but to provide true visibility into
the risk posture of an organization's partners and to create a shared
understanding of gaps that should be resolved to effectively reduce risk."

A SearchSecurity article recommends companies create Business Associate
Agreements when dealing with third-party contractors and consultants to
defend against potential risks. The article adds that that may not be
enough. After all, people do lie in contracts in order to get the job and
may have theft in mind from the get-go. Strengthening that weak security
link will require investigative work and old-fashioned recommendations from
colleagues you trust. Of course, this isn’t foolproof. Mistakes happen that
leave the contractor and, in turn, your company at risk. That’s where
having all the legal paperwork that outlines the contractor’s
responsibility in the event of a security breach becomes necessary.

I’ll end this with a challenge: How much do you know about your company’s
weakest security link and what are you doing to protect your network and
your data?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!