Categories
Blog File Server Security USB Copy Protection USB Sescurity

How to Prevent A Data Breach Risk by Contractors

Many security managers are worried about the possibility of a data breach by contractors when sensitive information is shared. As discussed in the previous blog, it is not easy to prevent data breaches by contractors, even though the breaches can cause crucial damage to a business. This blog describes a couple of typical examples where contractors could cause a data breach and suggests ways to prevent a data breach by using Secudrive solutions.

First, let’s imagine this situation: a company extracts customer information from their database and hands it over to contractors as a Microsoft Excel file. The contractors conduct a cold-call marketing campaign with the information, fill out the result of the calls in the files, and return the files to the company. Thousands of customers’ information is stored on every contractor’s PC, but the contractors’ PCs are separated from the company, so the company cannot control and monitor them. A contractor could accidentally send the Excel file as an attachment in an e-mail to the wrong person or deliver it into the wrong hands with malicious intent. In addition, if the company gave the contractors its marketing plan for the campaign, which the company has spent considerable money and time to create, the plan might be copied and delivered to a competitor too.

Second, imagine an industrial machinery company that hires hundreds or thousands of technicians as contractors to conduct a maintenance service for their customers, who are scattered all over the United States. The company should provide manuals related to all their products as well as a price list for all of the parts. The information might contain very important intellectual property and be very sensitive for the competition in the market so that it should not be handed over to the public or a competitor. Therefore, the company cannot help but worry about how the technicians handle the sensitive information in diverse environments. What if a technician loses his or her unencrypted laptop storing the sensitive data? What if the technician copies the files and places them into the wrong hands? What if the technician keeps files even after leaving this job, and hands them over to a competitor? The possibilities are endless.

Secudrive USB solutions could ensure data security in the above two cases.

First, Secudrive USB Office+ is suitable for use in telemarketing. Excel files can be placed onto a Secudrive USB Office+, a copy-protected USB flash drive that enables an administrator to restrict users’ rights for copy, print, screen capture, and network transfer. If all the users’ rights are restricted, users can simply open and edit the files on the USB flash drives. After the telemarketing campaign, contractors fill out the results and return the files to the administrator. If Secudrive USB Management Server is used together with Secudrive USB Office+, you can monitor all users’ activities with the USB flash drives. Even if a user loses a USB flash drive, the data would be secure because it is encrypted by an encryption chip. You can also destroy the data or lock the USB remotely when necessary for information security.

If you want to check the results of a campaign in real time, you can use Secudrive File Server instead. The customers’ information is stored in a file server that is separate from the company’s database, and Secudrive File Server is installed on the file server. Secudrive File Server makes it possible for an administrator to restrict users’ rights for copy, print, screen capture, and network transfer when users use files in a shared folder. Users only open the Excel files and fill out the results of the calls in the shared folder, and the administrator can check on this process in real time.

If users do not need to edit files after distribution, as in the second case, Secudrive USB Copy Protection is an excellent choice. You can restrict users’ rights for copy, print, screen capture, and network transfer when you distribute files with USB flash drives. If you need to update product information or a price list, you can upload the update files onto an update server, and then these files can be automatically updated when the distributed USB flash drives are connected to the Internet. Secudrive USB Copy Protection can utilize general USB flash drives that have serial numbers, making it more cost-effective, but this option is less secure because it is encrypted only by a software algorithm instead of an encryption chip. However, you can also destroy the data or lock the USB flash drives remotely.

In both cases, you can update files on the USB flash drives remotely through the Internet after distribution, without the need to deliver a physical CD/DVD every time you update files after distribution. Therefore, distributing the USB flash drives using Secudrive Solutions is much more efficient and cost-effective than distributing CD/DVDs using existing solutions.

Secudrive solutions are also very effective in preventing data breaches by contractors who work with sensitive corporate information but cannot be easily controlled under a regular corporate security regulation and system. With Secudrive, you do not need to open a corporate server system that is full of sensitive information. If you select the information that you have to open and deliver it to contractors using Secudrive, you do not need to worry about data breaches caused by contractor mistakes or malicious actions.

Categories
Blog USB Copy Protection USB Sescurity

Data Breach Risk Caused by Contractors

Many companies hire contractors when they consider a job to be of secondary importance to their business and need short-term labor or high-quality professionals for a specific job. A contractor, for the purposes of this blog, can be a freelancer, consultant, third party, or business partner who is hired from outside of a company. Hiring a contractor is a big deal in terms of information security, even though it is common knowledge that it is a good way for companies to maximize organizational flexibility and cut costs.

In recent news, Target agreed to pay USD 18.5M to settle claims by 47 states and the District of Columbia and to resolve a multistate investigation into a massive data breach in late 2013. Target said the total cost of the data breach was USD 202M as of May 2017, and it had not yet been finalized. The breach began at the PC of an employee of a third party who was responsible for maintenance of Target’s HVAC. A hacker accessed the PC and installed malware—the PC did not have anti-malware software. The hacker spied on the connection between the PC and Target’s system, finally gaining access to Target. The hacker stole the credit and debit card information of as many as 40M shoppers.

In another breach, the episodes of “Orange is the New Black,” a popular television show on Netflix, were released to the public by a hacker before Netflix’s official release this spring. Larson Studios, a third party for Netflix, had the files to conduct audio postproduction. A hacker attacked the third party, which was not fully equipped with a security system, to gain access to the files. The hacker then asked Netflix and Larson Studios to pay a certain amount of money within a certain timeframe or else the hacker would release the files to the public. Netflix and Larson Studios rejected the proposal, so the hacker released the files. In conclusion, many episodes of the new season in which hundreds of millions of dollars had been invested, was released before commercialization, resulting in tremendous consequences for Netflix. Many security professionals have pointed out that third parties in Hollywood have very vulnerable information security systems and this kind of data breach will continue to be in the future.

Finally, Edward Snowden’s Case should not be overlooked in examining this issue. Snowden, an employee of a third-party contractor with The National Security Agency(NSA), gained an access right to servers during his job. He put about 1.7 M top secret documents onto an unauthorized USB flash drive, carried it out of his workplace, and released the sensitive files to the public. Even though Snowden was determined a whistle-blower for the public interest, it was a damaging data breach by an NSA contractor.

The reasons for the above three data breaches are different, so the countermeasures against them should be different as well. However, it is apparently more difficult for an organization to prevent a data breach involving a contractor than a regular employee for the following basic reasons: 1) contractors might have less loyalty to the organization than employees do; 2) contractors cannot obtain regular information security education as easily as employees can; 3) contractors’ information systems cannot be easily treated as parts under organizational information security systems and cannot be managed and monitored as strictly as an in-house system; 4) contractors are sometimes temporarily allowed to gain access to the in-house system, and they often keep their access even when the work is completed.

Nonetheless, it is important to note that unstructured data, such as business files and drawing files that are used by contractors, have not been managed securely enough, whereas organizations usually manage access/rights very strictly when a contractor is granted access to structured data, such as a database storing millions of customers’ information. The sensitive files of the organization can be sent or copied to contractors’ laptops and servers without any restriction, and the organization often has no idea how secure files are managed by contractors. Thus, there are huge blind spots in information security that can cause a great disaster.

Our next blog will demonstrate how to prevent a data breach by utilizing Secudrive solutions, especially when an organization cooperates with contractors. Secudrive solutions can allow workplaces to cooperate by making it possible to safely store, deliver, and manage sensitive unstructured files in separate devices from the in-house system.