Well, a positive that can be taken from the Facebook data leak is that it highlights the need for stricter external vendor controls and ongoing monitoring /maintenance.
As RGL have been working in the cyber market for the past five years and the digital forensics space for the last 15, we have had countless conversations, educational workshops, fraud investigations and insurance claims that result from vendor management.
In today’s digital world, it is very easy to obtain external resources to fulfil the need you have for your business. Whether it is an external first line IT support requirement, a dedicated Security Managed Service or a Penetration Test, the engaged vendors will have access to your infrastructure.
User Access Control is often mis-configured and can often leave the instructing business exposed and the vendor having too much control. This is an on-going process because the requirements often change over time. A common trend we see relating to this is, as the internal IT department is small, they often provide Domain Admin Access to vendors for ease of use.
Another point to add, if a vendor has external access to a business network, what and who are they providing the login credentials to within their own company? Is it right that every vendor employee has the ability to access the entire client network? Does the vendor have access controls in place internally to address this risk? Is there a security clearance process employees must pass? What happens if the external vendor is compromised and the hacker finds the credentials to your business? All of these questions should be asked during the exploratory stage of the engagement, to make sure you are satisfied with the responses.
As with any third party engagement, the need for a Scope of Work and contract is key to document the requirements. There must be an agreed level of access to your network and an internal change management policy to reflect any amendments.
Given that GDPR is coming into force on 25th May 2018, companies will need to ensure that they have already implemented the appropriate policies and procedures regarding access to personal data. These will need to be documented and adhered to in order for the business to demonstrate the internal organisational controls in response to an investigation.
So what can be done?
Most forward thinking companies today have introduced Security Incident Event Management (“SIEM”) solutions that will monitor the users’ activity in a network. This will allow the external vendor’s credentials to be closely watched to make sure that they are not doing anything they shouldn’t.
There are a number of software solutions on the market that can monitor the traffic on your network allowing for data loss to be prevented by making use of a number of rules. Some will even record the activity in a visual form that can be replayed and used during an investigation or insurance claim.
Personally, I think that business is right to use external vendors as these often represent the most cost efficient solution, but there must be a rigid process in place that vets vendors on all aspects of their business and the engagement. It has been too easy for vendors to access information that they have no right to and given the large fines that GDPR can levy and the change in the way people view their privacy, change is needed NOW.