Comment: Trusting contractors with your data

Poyiadgi argues that trusting contractors means implementing robust policies to ensure data stays safe when it’s out of your hands
Poyiadgi argues that trusting contractors means implementing robust policies to ensure data stays safe when it’s out of your hands

Losses of confidential personal data can be devastating for government and business alike. After hearing so many data loss horror stories, one would hope that most organisations now have appropriate technology and trained security staff to keep their data safe. But there is one area that, even for the most security-conscious organisation, represents great uncertainty – that of dealing with third parties.

For most businesses, working with third parties is a fact of life. From accountancy to marketing, or even outsourcing IT and security, it is necessary to provide suppliers with access to key data about your company and customers so they can do their job. Once they have the data, what’s to stop them from leaving a memory stick on the train or accidently installing malware that sends the data to criminals?

Out of your control

When dealing with contractors, organisations need to know their data is safe. This means ensuring the contractor has adequate security technology and staff who understand how to manage security policies. This is not just about having technical solutions, but understanding the risks and acting accordingly. One of the biggest scandals of recent years involved discs full of highly confidential data disappearing after being sent unrecorded through the post.

The first step is risk analysis: How valuable is the data, and what is a reasonable level of security to impose? Once this is established, organisations need to ask if the supplier can demonstrate that level of security. Postmen cannot reasonably be expected to deal with each letter as if it contained sensitive data, so don’t send unencrypted data through the ordinary post. Technology companies, on the other hand, should understand this but need to demonstrate their commitment before being engaged for business.

What to expect of contractors

Once an organisation decides to use a contractor, it needs to be certain that the contractor has the capability to treat its data with the appropriate level of care. This starts with obvious technical checks, such as whether the contractor has adequate virus protection and firewalls.

But data breaches largely occur because the people handling the data are not properly trained to understand its value, the risks in handling it, and the consequences of its loss. CompTIA’s 8th Annual Global Information Security Trends research, released at the end of 2010, showed IT professionals attribute more of the blame for security breaches to human shortcomings than technology shortcomings (59% vs. 41%). Additionally, the data suggests human error is on the rise.

It is therefore doubly important that the company handling your data has trained security professionals who can demonstrate a working knowledge of security in areas such as communications, infrastructure, operational domains and cryptography.

Critically, organisations need to know its contractors’ employees are trained to understand the value of data and the potentially devastating consequences of data loss. You need to know they understand and implement procedures for data handling to ensure it doesn’t fall into the wrong hands.

Towards a solution

The problem with working with people is that, unlike technology, it’s hard to know with any certainty whether their level of expertise measures up. To be confident your data is in the right hands, there is a need for independent validation of skills.

This is exactly what a lot of organisations do, particularly those that handle extremely valuable data. Many businesses expect staff – their own and their contractors – to have an independently accredited level of security skills. CompTIA, the global IT Trade Association, works closely with the IT industry, and this concern has been raised regularly over the years. This is why we developed our industry-led Security+ certification to validate baseline skills in security.

The US Department of Defense (DoD) is one such organisation that recognises the importance of data security when working with contractors. It is a prime target for anyone trying to attack or harm the country, and so the DoD must do everything it can to protect its data from attack. To ensure staff meet this high expectation, in 2004 the DoD established the 8570 Work Force Improvement Program. This requires all information assurance managers, privileged access users, technicians and contractors to be fully qualified, trained and certified to effectively defend DoD information, information systems and infrastructures.

To guarantee privileged users and information assurance managers have the knowledge and skills suitable for work that is critical to national security, the DoD mandates a range of certifications for its staff and contractors, and these include CompTIA’s A+, Security+ and Network+. Obviously, you can never completely cover yourself against determined malicious attacks on contractors, or even employees, but by having an independent validation of expertise and understanding, you can vastly improve your security.

What happens if you get it wrong?

The Security Policy Framework (SPF) lays down mandatory security policies for much of the UK public sector, and offers a very good guide for the private sector. It mandates accountability at senior levels, collective responsibility of all staff and contractors, and the need to employ trustworthy people. It specifically says that “government departments and agencies must employ staff and contractors in whom they can have confidence and whose identities are assured”. Failure to comply can result in disciplinary or even criminal proceedings.

Organisations are increasingly aware of the importance of security, but there are still a worrying number of organizations that expect third parties to apply the same standards it does, without demanding any real checks. Loss of data by a third party may mean they are fined, rather than your organisation, but it can still be very damaging to reputations. If you have not followed reasonable procedures to safeguard the data, then your organisation may still face sanctions, or lose customers. It is vital that we start taking this seriously now and make rigorous, provable demand of those we entrust with our data.


Matthew Poyiadgi is European vice president at global not-for-profit trade association CompTIA. CompTIA works to advance the international interests of information technology professionals and organisations, including manufacturers, distributors, resellers and educational institutions.

What’s hot on Infosecurity Magazine?