Who Holds The Keys To Your Kingdom

When considering who holds the keys to your organization's kingdom, you might think of the CEO, the board of directors, or key employees. They have access to critical information and systems, right? But what if the real gatekeepers are the people you see less often, those who work behind the scenes?

Cleaners, janitors, cooks, and other third-party service providers often have unfettered access to your building and, by extension, to sensitive areas and information.

These individuals typically work outside regular business hours, when security measures are less stringent, and employee vigilance is lower. Could they be the true holders of your organization's keys?

The Hidden Risks of Third-Party Access

Photo by Verne Ho on Unsplash

Third-party workers, such as cleaners and janitors, play a vital role in maintaining the day-to-day operations of any organization. However, their roles often come with extensive access to the entire building, including secure and sensitive areas.

They can roam freely with minimal oversight, especially after hours when the building is mostly empty. This level of access poses significant security risks, particularly because these workers usually undergo minimal vetting.

In private corporate settings, the hiring company might not directly vet these third-party workers. Instead, they rely on the contracting company to handle the hiring process. This indirect relationship can create gaps in security protocols and leave the organization vulnerable to potential threats.

The Ease of Infiltration

Consider this scenario: a criminal wants to gain access to sensitive information within a company. Rather than attempting a complex cyber-attack or bribing an employee, they could take a simpler route. By getting one of their members hired by the cleaning company contracted to the target organization, they can gain legitimate access to the building. Once inside, they can move freely, potentially bypassing security systems and accessing restricted areas without raising suspicion.

This threat is not hypothetical. There have been numerous instances where third-party workers have exploited their access for malicious purposes. The ease with which someone can infiltrate an organization through these means underscores the need for robust vetting processes and stringent security measures.

As I mentioned in this post, insider threats can come in many forms, both current and former employees as well as third parties. The danger with third parties is that they are usually minimally vetted and often unknown persons to the organization.

The Limitations of Security Cameras in Preventing Insider Threats

Photo by Victor on Unsplash

Security cameras are often considered a critical component of a comprehensive security strategy. However, their effectiveness is significantly limited when it comes to preventing insider threats, particularly when it involves the planting of devices or theft of intellectual property. Here’s why:

1. Limited Retention Period of Footage: Security cameras are primarily designed to review incidents after they occur, helping to identify who set off an alarm or committed a theft. However, due to the large storage requirements of video footage, most organizations only retain this data for a short period, typically ranging from 2 to 14 days. If the insider's crime is not discovered within this timeframe, there will be no video evidence available to determine who was responsible.

2. Detection Delays: Insider threats, such as planting listening devices or stealing/copying sensitive documents, might not be immediately apparent. It can take weeks or even months before such breaches are detected. By the time the crime is discovered, the security camera footage that could have identified the perpetrator is likely already deleted, leaving the organization with no visual evidence to aid in their investigation.

3. GDPR Restrictions in Europe: In Europe, the General Data Protection Regulation (GDPR) imposes strict rules on surveillance, particularly within office environments. Many businesses are not permitted to use security cameras inside office buildings or individual offices to protect employee privacy. This regulation makes it even more challenging to monitor insider activities and gather evidence against malicious actions within the workplace.