During a recent risk review we came up with a widespread risk: the 3rd party leaver.
If you share files with any external parties you need to think about this. It’s a big risk common to all services that let you share files with external people.
Sharing sensitive files for M&A
Acme Ltd are selling their firm. They’re using a virtual data room run by their advisors. One of the ‘other side’ is Bad Bob. Mid transaction, he leaves his firm, nobody tells Acme. Bob continues to access the data room, although he now works for a different competitor.
The client extranet
Dubious Dana is a freelancer working for an agency doing work for blue chip Nestles. She has access to the Nestles extranet, which has the next 12 months ad plans online. When she leaves to work for a competing agency, nobody tells Nestles – she’s free to steal and share plans until someone notices her account should be closed.
What does this mean for me?
If you are sharing files with other firms through extranets or data rooms that you control, then your data is at risk when people change jobs.
Options that don’t work
– Contractual
This is a hard one, as it relies on people you are sharing data with having a leavers policy that will tell you, a 3rd party, when someone leaves. You can specify in your terms that they must tell you, but experience tells me you’ll be told late, if at all.
– Periodic review
Once a month review all access rights, and revoke as needed. But will you know Bad Bob has left?
– Token based access
You could issue RSA type key fobs – however, would you know when to ask for them back?
– 2 step authentication – with a phone call or text
A lot of people will take their mobile number with them to the next job, so whilst this is a good security option, it’s not great against leavers.
4 things that work
– Terms of use agreement ✔ (quite helpful)
By using a click wrap agreement or acceptance usage policy before letting people access files, you can get some legal protection against misuse.
– Don’t use personal email addresses ✔ (quite helpful)
Just use business email. At least that way you’ll be warned with a bounce if an email account stops working.
– IP restrict ✔ (good)
Only allow access from some IP ranges. So e.g. the folk at Acme can only log in from the acme office.
– 2 step authentication – company email address ✔ (our favourite)
By adding 2 step authentication that specifies something owned by the company (not the individual), you get good protection. At Projectfusion we make our 2 step authentication use a corporate email address – so when someone loses their corporate email, they lose access to your data. We have a policy of not sharing with personal email accounts.
Can you think of another way to protect from bad leavers? Are we overstating the risk? We’d love to hear from you.