Contractor and Partner Collaboration versus Network Security

Posted by Geraldine Hunt on Thu, Jan 30th, 2014

It is important that there be collaboration between employees, suppliers, and partners, but one must weigh the risk of giving people who are not employees access to your systems, as data can easily be lost through theft, carelessness, or malware.  How could you measure such risk and apply due diligence when making the decision to do so?

Access versus Security - do you have to choose?

When the American banking giant Wachovia failed in the Great Recession, the bank was taken over by Wells Fargo.  The two bank’s employees could not send encrypted email between each other, because Wachovia used Lotus Notes and Wells Fargo used Microsoft Outlook (Exchange).  It is possible to send encrypted mail between these two email systems, but not easy for the end user to do so.  Rather than address this problem, the bank chose to ignore it for several years, deeming it not worth the effort, since all the employees would eventually more to the domain WellsFargo.com.

Here is an instance of a company choosing productivity over security.  It would have been more secure for the bank—a business that deals in highly-private financial matters—to send emails encrypted.  But it would have been less productive to do so, given the definition of productivity we give below.

How could Wells Fargo have approached this issue?  Like any other business decision, that should be considered on risk-versus-reward (cost-versus-benefit) basis.

If you want a mechanical approach for determining this, you could grant access only when reward > risk.  That is what the auditors would say.  To do this, you would need to translate risk and reward into numbers.

The reward of granting access is increased productivity.  Productivity is:

productivity= (output per employee) / number of employees

The definition of “output” varies.  It could be the number of support calls handled, sales dollar amount, widgets built, shorter time-to-market, and so forth.

What about risk?  If you follow the COBIT 5 framework for governance, you know that the company is supposed to keep a risk profile.  That means each type of data is assigned a score based on how it would impact the business, if this data were lost. So you can quantify risk.

If you don’t want to resort to mathematics, just keep this thinking in mind, as you make these decisions.  Here are some inputs to that model.

Possible Risks including Network Security

The benefits of using collaboration are fairly obvious.  People working on the same project should have access to the same data and be able to communicate easily.  But what are some of the risks? 

• Theft—contractors and partners could cause you to lose company data, not by outright theft, but by introducing malware into your systems, which could then siphon off data.  If this includes private customer data, then such loss will damage your brand significantly. 
• Proxy for crime—one should assume that their computer has been hacked, because hacking is so prevalent and systems to prevent that do not work 100%.  A hacked computer can be a proxy for crime.  Criminal hacker groups rent networks of hacked computers so they can be used for illicit purposes.   The user would never know this, unless he or she knew how to look for that.  Your company’s computers could be robbing another company and no one know it.
• Camera—malware can turn on your camera and microphone and record what your board of directors are saying.
• Network—the network you attach too reveals much about your business.  PC software and mobile phone apps know you ip address, your physical address, and the address of your router.  Draw information from enough computers and you can map out your entire topology.  Network security is critical and this data is supposed to be a closely-guarded secret.
• GPS—this reveals your location, although it is less accurate that using Wi-Fi access points, whose location Google has vacuumed up and documented in detail thanks to its Street View mapping. 
• Interconnected systems—supplier-to-customer transactions view Internet web services and private network EDI are for the most part secure.  Some businesses have carried this further by using federation to allow employees of one company to log into the other company’s applications.  Here too the emphasis is on security, so there is not much risk.

 How to Mitigate the Risk of Collaboration

Some software is built with collaboration in mind. An example of that is Oracle Primavera, which is project management software designed to manage large construction projects.  Such projects have many subcontractors.  Each of these subcontractors is assigned tasks and must report on their status.  If they are engineers, then they have to submit engineering changes to the prime contractor for approval.  It is more efficient to give contractors access to the system, so they can enter this data themselves.  (Plus it is more accurate, since someone does not have to keypunch this into a computer, making the mistakes that come from such double entry.) But granting access entails higher risks for reasons cited above.

There are ways to mitigate the risk associated with collaboration.  These include:

• Training—send everyone who is working on the project to training and verify that they have taken it.  Teach them the hazards of social hacking (people phoning up and asking for details), phishing, and fake SSL certificates.  Ask them to lock up their desk at night, keep a clean desk, and do not attach cameras, cell phones, or USB drives to their computers while attached to your network.
• Block social media—there is no reason why individuals should be using Facebook or Twitter on the corporate LAN.  They have their smartphones for that.  These sights are fraught with danger, because people post links to sites that contain, for example, drive by downloads (meaning downloading a file without your permission).
• Scan their Devices—it used to be the case that you needed to give contractor’s access to your LAN and Active Directory or LDAP, to access shared drives.  That is not true anymore, as people can access applications and documents in the cloud.  All they need is an IP address, VPN, or access to the public Internet either through your network, their cellular service provider, or by connecting your network to theirs.  To mitigate the risk involved, if the contractor plugs into the LAN, they could be required to install whatever software you are using to scan devices for malware.   You can police mobile devices as well using MDM (mobile device management) software, but that is highly intrusive to the individual’s privacy.
• Other due diligence—your are already auditing your contractors quality and billing; audit their risk exposure and compliance to security as well.

This is a basic outline of the risk-versus-reward decision you face when determining whether to give contractors access to corporate systems to boost collaboration.  You could adopt a mechanical approach to this or, without having to pull out pencil and paper, just move forward, in a risk-averse manner, cognizant of what data could be lost and take measures to reduce the risk of that.

To help you get started here is a practical checklist including recommendations on securely deploying servers which is critical to network security as servers are where most of your company’s valuable data reside.