Ever since Hackopcalypse 2014, which included data breaches on the likes of Sony and Ebay, corporate security teams have had to spend each day proving to colleagues, customers, and shareholders that internal data will remain private and secured. But even though "Super Duper Enterprise A" may have the best firewall hardware in the market and the best intrusion detection software available at a premium, two critical vulnerabilities are waiting to pounce: corporate vendors and internal colleagues.
Corporate vendor security
Just because you're Super Duper Enterprise A, that doesn't mean you don't do business with the local SMBs. Besides boosting community morale and economy, it's convenient to have some services available to your company locally. The weekly doughnut and bagel day, the spring and summer barbecue lunch, and the annual holiday party are all events sponsored by corporate dollars and contracted through the local vendors. The data your SMB partners have in hand may seem minimal, but it's still critical corporate data. Contact information and services rendered may be valuable to an individual who hacks the SMB's network. As an InfoSec professional, you know what measures you have in place—but what about the SMB? The extent of its security depends upon available resources and what's affordable for it to implement.
For example, having a lunch meeting with your department heads exposes corporate data for colleagues paying with the company credit card. As the card is given to the wait staff for handling payment, the server walks away with the bill leaving everyone to assume the card won't be run through a credit card skimmer. Or maybe the invoiced data the vendor owns is stored on an old, patchless Windows XP computer. These risks are quite possible.
Internal colleagues and staff
I've mentioned previously that internal IT department members are the worst users on the corporate network. But that doesn't mean that all other departments in the enterprise are immune to security threats. Think of some of the more stressful times in your organization: the dreaded quarter-close, year-end, and year-start. Each of these calendar events is stressful and rich in data. When it comes to the technology black market, data is a valuable commodity.
An overworked staff accountant may be in the weeds trying to get the books closed. An urgent email hits his inbox. "The CFO is demanding the latest payroll journal to determine the executive bonuses." Being an obedient staff accountant, he sends the spreadsheet to the "CFO." Sadly, the email requesting this data was spoofed. This means some nefarious individual now has private payroll data of all the executives in the company.
When it comes to internal colleagues exposing sensitive corporate data, it's all about timing and pulling the emotional strings. Along with having the technical skill set to spoof a business's email address, the attacker executed the data breach beautifully by understanding the time of year and knowing who to target at a busy time. The accountant's inbox was potentially flooded with deadline notifications and requests, which created a stressful environment. This makes for an easy target.
The same principles can be used outside email. Hang out in the hallways and lobbies of an enterprise. Colleagues discuss the woes of the day quite regularly, regardless of who might be walking by. Someone may even pose as a facilities service technician and listen in on complaints about systems or software being used by the company.
"Our SuperFab CRM software is horrendous," one colleague says. "We're still running an older version and haven't been able to upgrade."
To an average bystander, those sentences might mean nothing. But to a person keen on network intrusion and data theft, this is critical information. Knowing what software is place for a company is a tiny window that can get opened. That tiny window can lead to other breadcrumbs of clues. This corporate environmental data can prove to be valuable in the right hands—all because employees decided to rant about their day at work in public.
SEE: Mobile device computing policy (Tech Pro Research)
What can you do to manage these risks?
Unfortunately, there's not much you can do about how your vendors handle data. If you have concerns about a vendor's best practices with your data, you can diplomatically suggest more effective procedures and explain the risks. Or you can sever all ties with said vendor in your company's best interest.
Managing the risks with internal colleagues can be addressed through internal communication and training. You can send company-wide emails—but understand that emails coming from the IT department are ignored even more than emails from a Nigerian Prince. I suggest taking the measures to upper management. Advocate the use of mandatory online training or a few Webinars that require the internal colleagues to sign up and confirm completion electronically. Doing something like this two to four times per year could plant a seed in the minds of the internal staff showing just how serious the company is about private data.
Securing your corporate data with hardware and software is a must, but understanding the risk associated with environmental data is just as critical. What advice do you have on managing the corporate data shared with vendors and among internal staff?
Ant Pruitt is an IT Support Professional with a passion for showing the non-geek how great technology can be. He writes for a variety of tech publications and hosts his own podcast. Ant is also an avid photographer and weight lifter.