Companies are rightfully concerned about whether they will be the next target, or victim, of a Wikileaks-type data breach.
Recent examples of data leaks have brought to the forefront the ease with which malicious insiders with authorised access to internal systems and information can copy big volumes of sensitive data and transmit it to third parties.
These events have challenged company senior executives and their boards to challenge management to address whether they would know if an insider had engaged in similar activity within their organisation.
Companies concerned about this risk may (and should) ask three questions: What is my critical data? Where is it located? Who has access to it?
Answering these questions will enable an organisation to develop a strategy to protect or monitor access to such information only after determining which insiders may be a potential threat to leaking critical data from the organization. Once these individuals are identified, companies should consider, among other items, enhanced due diligence for indicators of corrupt behavior, and increasing the logging and monitoring of physical and virtual access or related activities within the environment.
Even companies that are ahead of the game in assessing the risk of data leaks within their environment often fail to consider the risks of sensitive data exposure from third parties.
Individuals who can be the source of data leaks – or "insiders" – include not only employees but also any number of third parties with authenticated access to an organisation's systems, networks, and data, such as business partners, contractors, and even government entities.
An emerging area where third-party business partner risk exists includes cloud providers. Other less commonly considered third parties with access to sensitive data include law firms and third-party outsource or offshore providers.
The law firm is a good example of a trusted third party with access to highly sensitive information that is not typically considered as a possible source of data leaks.
Whether a plaintiff or defendant in a civil action, a victim or defendant in a criminal action, or a party to a commercial transaction, companies turn over vast amounts of confidential information to outside adviser. Once in the outside adviser's custody and control, the client company's data is at risk of exposure from either the law firm itself or any number of third parties with which the law firm contracts to assist in litigation discovery, trial preparation or commercial dealmaking.
In regard to whether data is at risk of exposure from the law firm itself, for several years, cyber forensic responders have reported that certain state-sponsored groups conducting industrial espionage on targeted organizations also target the organisation's outside adviser.
Such groups are well aware of the treasure trove of potential critical data sitting within the counsel's environment. Targeting this environment also avoids time-consuming searches for critical data within the company's environment, as law firms are more likely to have the key documents in hand and are paradoxically very well organized.
As a result, it makes the data easy to locate and exploit. Security in law firms is also not likely to be state of the art.
A recent American Bar Association journal article highlighted that while law firms may have basic security measures in place, spending money on IT security is often a hard sell because it produces no visible return on investment.
Like other entities that only implement baseline security measures, law firms may be a welcome target for cybercriminals, and the increasing international operations of many leading firms only increase the risk associated with sensitive data protection.
Companies may also not be aware of the risk posed by the third parties with which the law firm engages.
A 2009 report from the CERT Insider Threat Center at Carnegie Mellon University in Pittsburgh highlighted a case study in which a company's trade secrets were publicly disclosed by an individual assisting with a copying project of a document-imaging company.The outside adviser hired the document-imaging company to copy documents in preparation for litigation. The individual's motive for disclosing the trade secrets to which he had access was to "help the hacker community crack the high tech company's premier product," according to the report.
Clearly, both individuals within and outside of a company can have malicious motives to leak sensitive company data.
Companies should consider including third-party service providers to their security risk equation and assess the ability of these parties to adequately protect the confidentiality, integrity and availability of the sensitive data transferred to their custody and control.
Certification or third-party audits can be required to ensure that providers fulfill their information protection obligations. An overall security assessment of the provider's environment is also a recommended step.
With cloud providers as an example, companies should perform a "secure the cloud" analysis that begins with an information security assessment in the areas of data encryption, data storage location, segregation, risk management, user access, systems management and incident response.
What the appropriate levels of security are for your data will depend on what types of data you decide to put in the cloud.
In addition, in contracts, companies need to spell out the requirements, including how the provider will mitigate the risks and handle data when the contract ends. While many companies today are ensuring that their contracts with third-party providers include security provisions, companies need to ensure that these provisions adequately cover risks associated with the newly emerging WikiLeaks-type data breaches as well as more conventional security compromises.
These third-party audits, security assessments, and contractual provisions are a good start to ensuring that the sensitive data you turn over to a third party receives the level of protection that you expect.
Peretti is former senior counsel with the US Department of Justice.