“The balance between too much security and too little is delicate. Overzealous access policies can bring efficiency and productivity to a screeching halt. But an overly lax approach can expose sensitive data to people who don’t need it and shouldn’t have it. The consequences can be brutal.”
For defense and civilian agencies alike, federal contractors are a mainstay in the public sector—and with good reason. Federal agencies have long relied on contractors to fill gaps and provide much-needed expertise, particularly in areas where internal skills and resources fall short. Still, even as third-party contractors fill a crucial need, they also require the same level of scrutiny and risk management as any internal employee—if not more so.
To fully benefit the agency they support, third-party contractors need access to networks, systems, applications and relevant data. The risks of this are obvious, but they don’t have to be inevitable.
The balance between too much security and too little is delicate. Overzealous access policies can bring efficiency and productivity to a screeching halt. But an overly lax approach can expose sensitive data to people who don’t need it and shouldn’t have it. The consequences can be brutal.
In the worst cases, insiders can pilfer and publicly expose highly confidential information. Such breaches present significant threats to national security and risks to important government programs.
But there are steps any organization can take to strike the right balance between security and productivity. Here are 3 tactics that promote both progress and safety.
Tactic 1: Identity and Access Management (IAM)
Too often, organizations on-board contractors and give them network access, and then forget to revoke that access once the project is finished. Other times, organizations grant too much access, giving contractors an open door to parts of the network they don’t actually need to do their jobs.
To solve this, organizations can implement an IAM system that not only allows IT security to create different role-based access controls, but that also lets them easily and quickly revoke access once a contractor finishes the project.
Tactic 2: Data Loss Prevention (DLP)
Organizations need network-wide visibility to spot unusual behavior, threats and vulnerabilities. And the insider threat is perhaps the most vexing to detect and prevent.
Broad visibility into user behavior is possible with a solid DLP system, which should then be integrated with other security solutions. DLP solutions are used to detect when sensitive data (for example SSN numbers, intellectual property or classified data) is either being transferred across or (in the worst case) outside of the network. Without this, security teams face a much tougher challenge when it comes to threat prevention, identification and response.
A DLP system allows your security team to see who’s accessing what on the network – including third-party contractors – and to respond to anything unusual. Are individuals hoarding data? Accessing networks, systems, and applications they shouldn’t? Is data leaving the network that shouldn’t? Any of these activities could signal an insider threat. DLP systems can detect and prevent this.
Tactic 3: Internal Policies and Enforcement Guidelines
Even with the best solutions in place, organizations will fail at insider threat mitigation and risk prevention if they lack established internal policies. These policies ensure that security solutions are used to full advantage.
These policies, however, can present a security paradox of sorts. For instance, respondents in the 2017 SANS Institute Data Protection Survey reported that “enforcing policy across the lifespan of sensitive data” is both their organizations’ most effective control, but also their biggest challenge.
Developing effective policies and guidelines is both an art and science. One method for improving effectiveness could include mandated, consistent, manual checks. Better still, these checks could be automated and coordinated with human resources (e.g., when a contractor is being off-boarded). But, ultimately, they need to be designed and followed so that your security teams are constantly monitoring who has network access and what they’re accessing.
Putting It All Together
Deploying these three tactics will give federal agencies insight into:
1. Who has network access and what activities are permitted for each user.
2. What users are doing on networks, in systems and with data.
3. Which types of behavior are allowed or prohibited.
Third-party contractors will continue to serve vital roles for federal agencies. Common sense restrictions on user access, visibility across the IT environment, and policies to guide security decision-making are the best means of ensuring these partnerships remain productive, safe and secure.
Find out how security product integration can reduce your organization’s vulnerability to insider threats. Learn more about solutions and services from Sirius Federal. Call 1-800-391-0204 or email [email protected].