Many companies hire contractors when they consider a job to be of secondary importance to their business and need short-term labor or high-quality professionals for a specific job. A contractor, for the purposes of this blog, can be a freelancer, consultant, third party, or business partner who is hired from outside of a company. Hiring a contractor is a big deal in terms of information security, even though it is common knowledge that it is a good way for companies to maximize organizational flexibility and cut costs.
In recent news, Target agreed to pay USD 18.5M to settle claims by 47 states and the District of Columbia and to resolve a multistate investigation into a massive data breach in late 2013. Target said the total cost of the data breach was USD 202M as of May 2017, and it had not yet been finalized. The breach began at the PC of an employee of a third party who was responsible for maintenance of Target’s HVAC. A hacker accessed the PC and installed malware—the PC did not have anti-malware software. The hacker spied on the connection between the PC and Target’s system, finally gaining access to Target. The hacker stole the credit and debit card information of as many as 40M shoppers.
In another breach, the episodes of “Orange is the New Black,” a popular television show on Netflix, were released to the public by a hacker before Netflix’s official release this spring. Larson Studios, a third party for Netflix, had the files to conduct audio postproduction. A hacker attacked the third party, which was not fully equipped with a security system, to gain access to the files. The hacker then asked Netflix and Larson Studios to pay a certain amount of money within a certain timeframe or else the hacker would release the files to the public. Netflix and Larson Studios rejected the proposal, so the hacker released the files. In conclusion, many episodes of the new season in which hundreds of millions of dollars had been invested, was released before commercialization, resulting in tremendous consequences for Netflix. Many security professionals have pointed out that third parties in Hollywood have very vulnerable information security systems and this kind of data breach will continue to be in the future.
Finally, Edward Snowden’s Case should not be overlooked in examining this issue. Snowden, an employee of a third-party contractor with The National Security Agency(NSA), gained an access right to servers during his job. He put about 1.7 M top secret documents onto an unauthorized USB flash drive, carried it out of his workplace, and released the sensitive files to the public. Even though Snowden was determined a whistle-blower for the public interest, it was a damaging data breach by an NSA contractor.
The reasons for the above three data breaches are different, so the countermeasures against them should be different as well. However, it is apparently more difficult for an organization to prevent a data breach involving a contractor than a regular employee for the following basic reasons: 1) contractors might have less loyalty to the organization than employees do; 2) contractors cannot obtain regular information security education as easily as employees can; 3) contractors’ information systems cannot be easily treated as parts under organizational information security systems and cannot be managed and monitored as strictly as an in-house system; 4) contractors are sometimes temporarily allowed to gain access to the in-house system, and they often keep their access even when the work is completed.
Nonetheless, it is important to note that unstructured data, such as business files and drawing files that are used by contractors, have not been managed securely enough, whereas organizations usually manage access/rights very strictly when a contractor is granted access to structured data, such as a database storing millions of customers’ information. The sensitive files of the organization can be sent or copied to contractors’ laptops and servers without any restriction, and the organization often has no idea how secure files are managed by contractors. Thus, there are huge blind spots in information security that can cause great disaster.
Our next blog will demonstrate how to prevent a data breach by utilizing Secudrive solutions, especially when an organization cooperates with contractors. Secudrive solutions can allow workplaces to cooperate by making it possible to safely store, deliver, and manage sensitive unstructured files in separate devices from the in-house system.