Trusted Outsiders Can Be Big Security Risks

Ever have a trusted salesperson, contractor or customer bring by a flash drive with a file by for you to view on one of your company's machines? Ever regret letting the outsider's drive inside your perimeter?You may allow your most trusted employees certain leeways and latitudes when it comes to their use of your business's technology -- but what abut your most trusted vendors, contractors, customers and partners?

I was talking recently with a friend who's an industrial products salesman, and among the matters we discussed was how easy technology had made it for him to show customers and vendors photos, schematics, other materials.

"Just pop a thumb drive in one of their machines, and there you go," he said.

No USB-drive monitoring? No security alarms going off?

He may still be laughing.

"Are you kidding?" he said, admitting that one company preferred that he connect a camera or phone to their system rather than a thumb drive because, according to his customer, "Cameras and phones are safer."

Now, odds are that the leeway they grant to my friend extends to people not as tech-savvy as he is, and probably extends to everybody. (Odds are, actually, that their systems are leaking information like sieves.)

But we all know of security-conscious and careful companies that do extend similar access to trusted outsiders, and do so for reasons of convenience, expediency or constancy of the vendor's presence in their business.

You know your vendors, you know your systems, you know your security procedures and tools, you know your comfort-levels with granting access.

Problem is, you may not know the levels of understanding your trusted outsider possesses on these very same matters.

The spread of USB-borne attacks isn't likely to abate; A quarter of malware now arrives via USB, and we're still in, alas, the fairly early days of device-borne attacks.

At the very least, it's a good idea to insist that your trusted outsiders adhere to the same policies, monitoring and scans that your employees must meet.

Insist that any device brought into your workplace be equipped with up-to-date security software.

Deploy tools that monitor all devices and drives on your network.

Too much trouble?

Considering doing what my salesman friend and I have discussed:

Set up a dedicated, non-networked computer for viewing materials brought in by vendors or customers. Equip the machine with security software, and use the machine only for outsider presentations and other materials. Scan it in depth after every such presentation.

Suspenders and belt? Sure -- but these sorts of safeguards can help keep your business from getting caught with its security pants down as a result of a sloppy or unaware outsider who has something you "just have to see."

While you're at it, you might want to review those internal leeways and latitudes you grant, as well.