At some time in a businesses life there is a need for some level of external involvement. Most small and medium businesses and not for profit organisation have access to accountants, solicitors, engineers when they need it. Sometimes you have low level interaction with these types of business but what I am talking about today is when you have a requirement for your critical information to leave your security envelope and control. This information may involve how you do business, your clients information or your intellectual property.
Any business may need to employ external contractors to do a job, get a job done or as part of a conglomerate, where information has to pass backwards and forwards between all parties. Sometimes you will have to justify how you will protect the other parties information but as a business I would be more concerned in how they are going to protect yours. If your information has to move from a highly secure environment to one where you have no control over it then this is what you need to know.
Here are 10 questions to ask before employing someone outside your organisation who needs access to your critical business information.
- Does management, owner and / or the executive committee enforce an internal culture of security?
- Do they use secure email, remote access, and servers with 2 factor security tokens or another form of dual-factor authentication to protect critical information?
- Do they restrict access to critical information using complex passwords on workstations and servers and do they restrict access for IT personnel with highly privileged credentials.
- Do they log access to its critical business files, so all access to information is monitored?
- Do they conduct regular security training?
- Are they associated with countries with state-sponsored espionage?
- Do they grant users access to data on the network or is access granted on a need-to-know basis?
- Do they have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?
- Do they employ highly trained security personnel who are skilled in sophisticated incident response?
- Do they have an security incident response plan and external incident response providers?
Before you think about employing an external company for your business make sure that they are going to manage your Intellectual Property, client list and critical business information with the same level of security that you do.
The bad guys and your enemies are not stupid. External access to your information can be a threat to the security of your critical business information. By asking these questions before you sign that contract can go a long way to protecting your business assets. Just remember, A little social engineering can get a large amount of information on where you do business and who you do business with. Combine that with lax external data security then you could lose your business edge. It is important to protect your business information even when you do not have control over those that are using it.