If you’re a parent, then you know how important choosing a babysitter is. Even though we usually just trust a neighbor and relative to do it, we are handing over the safety of our children to another person, and what’s more important than that? Money certainly isn’t, but protecting the company that employs you and provides the money that feeds your children has to be up there. That’s why it’s hard to believe the number of times people allow contractors to work on their company without properly vetting them. If you know how easy it is to be breached, it might be hard to believe that it would happen often, but organizations big and small make this exact mistake.
You’ve probably heard of the CIA WikiLeaks dump by now, but you may not have heard who they think was responsible for the leaked documents. For now, the source of the leaks is assumed to be a contractor who breached the CIA’s network and gave the documents to WikiLeaks, and the CIA is paying dearly for their mistake. Not only is the world finding out that the CIA and several other foreign governments have designed tools that will do everything from steal files from devices without ever being noticed to turning smart TVs into listening posts. Plus, one of the most powerful organizations in the world just had their secrets spilt, which will hurt their reputation for years to come. For the CIA that means agents and representatives will not be respected, plus foreign governments might hesitate to share information with them in the future. While those consequences are hard to measure, for a company the same mistake will mean losing very real money, and in some cases they don’t even have to be breached to pay the price.
Take Raleigh Orthopedics for example. Until last year they were just another healthcare provider just like the thousands of others all across the country, but then they made one mistake. Another company approached them with the proposition that they would take their x-rays, scan them, and turn them into digital files in return for the silver in the x-ray film. While nothing is wrong with that deal, the mistake Raleigh Orthopedics made was failing to enter into a business associate agreement. All healthcare providers are required by HIPAA to enter into business associate agreements with any contractor that handles their medical records to ensure that their systems are capable of doing so. Raleigh Orthopedics forgot that though, and even though there wasn’t a breach, once their mistake was discovered they got hit by a HIPAA storm.
First, they were required to review their policies and systems and even designate an individual who would make sure the same thing would never happen again, and then the fines came. We aren’t talking about a slap on the wrist and a warning, we’re talking about $750,000 in fines.
Could your company survive that type of hit? If you said no, then now is the time to get serious about how you handle giving contractors access to your company’s systems. Healthcare providers have no choice since HIPAA strictly requires them to enter business associate agreements, but not all industries have the same regulations. If your industry doesn’t, do yourself a favor and get ahead of your competition by reviewing how you approach contractors. Everyone from the CIA to local companies is at risk of being breached through contractors, so do you really think you can get by on luck for much longer? After all, giving access to your company’s systems is like letting someone babysit your child. Would you trust someone with your child’s safety without properly vetting them?