Problem solve Get help with specific problems with your technologies, process and projects.

Reacting to a business partner's insider threat

In this SearchSecurity.com Q&A, security management pro Mike Rothman explains how to address a business partner's weak data security policies.

A recent background check on an employee of a business partner showed he was a convicted identity thief and had a long history of other crimes. He had access to our protected health information (PHI) for about three days. He had a list of patients and SSNs in his possession and was terminated immediately. His wife, another employee of our business partner, didn't receive a background check prior to her employment. How should we react, and what are the best ways to make sure we don't have another issue like this occur?
I would cease doing any business with the business partner immediately. Your organization must act quickly and decisively to demonstrate what practices it considers unacceptable for the sake of your other business partners. Also, be sure to check with your legal counsel to make sure you are not in a situation where you need to disclose the privacy breach to your customers.

You should revisit your agreements with the business partner and ensure that the legal documents reflect the acceptable practices of how you work with trading partners. But to be clear, you need to make an example of this business partner; not doing a simple background check is unacceptable.

As an information security professional, many business deals create significant risk to your own organization. You connect systems to partners that have insufficient controls and protections. But, ultimately, business will win out, and if you make too much noise, you run the risk of being perceived as Chicken Little and endangering your credibility.

As part of your overarching security program, I recommend communicating with the legal team and discussing the things you think are important to look at when doing diligence on an acquisition or other business deal. It's critical to do this before the deal is underway. If you do this early, then you are proactive. If you do this later, then you are in the way of a deal getting done. Which do you think will be better perceived in the executive suite?

Ultimately, the role of the security staff is to present the risks. Business people need to make the decisions as to whether the risks are justified when weighed against the reward of doing the deal.

For more information:

  • In this tip, which is part of SearchSecurity.com's Data Protection Security School, contributor Richard Bejtlich discusses the essential policies, processes and technologies for preventing data leakage.
  • Learn why more organizations are turning to database monitoring to secure data.
  • This was last published in June 2007

    Dig Deeper on Data security strategies and governance

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.