On May 15, the crypto giant, Coinbase, announced that malicious actors had gotten away with the personal information of tens of thousands of customers—an incident set to cost the company nearly $400 million.
But the scale of this breach isn’t the major story. It’s how the cybercriminals did it—bribing outsourced customer service agents to steal sensitive data on their behalf.
What’s stopping the same thing from happening at your company? With 83% of organizations experiencing insider threats in 2024, one of the biggest risks to your data security could come from inside: from employees and third-parties that have legitimate access to your sensitive data.
Here’s how to make sure it doesn’t.
Outsourced support teams: The silent insider threat
Outsourced customer support has become a de facto standard in modern business. From fintech to healthcare to ecommerce, over 55% of companies worldwide rely on third-party teams to handle customer queries.
But this convenience comes with a hidden cost: these third-party agents often have extensive access to sensitive data. The result is two troubling types of insider threats: malicious ones (like in the Coinbase breach) and accidental insiders.
Let’s take a look.
Malicious insiders
In cloud-first, SaaS-heavy environments, support agents can log in from anywhere in the world, with nothing more than a browser and a password between them and customer data.
In many cases, support staff aren’t just reading names and email addresses—they’re accessing financial details, health records, internal tickets, and full account histories.
That level of access, combined with minimal oversight, is precisely what made the Coinbase breach possible. Attackers didn’t breach a firewall or exploit zero-day vulnerabilities. They found a simpler path: paying off overseas customer support agents who already had full access to customer data.
Accidental insiders
Bribery and bad actors are a serious concern. But many insider threats come from well-meaning employees under pressure to work fast.
Support agents, racing to meet SLAs and handle high ticket volumes, often use AI tools like ChatGPT or Bard to draft replies. In doing so, they may copy-paste sensitive data into tools that are not enterprise-governed—or even secure.
For example, say a support rep pastes a customer’s full billing info into ChatGPT for help writing a professional response. Two months later, a completely different user receives an AI-generated message—containing details from that same billing record.
Because large language models can retain and unintentionally surface user inputs, a simple copy-paste can create a slow-burning breach that causes a blaze far down the line.
Third-party risk management: 9 steps to close the gap
As support operations swell across time zones, platforms, and third parties, the old model of vendor risk management is no longer enough.
It’s time for a dynamic, data-first approach—starting with these nine steps.
1. Inventory all vendors
Document every third party with access to your systems or data—SaaS tools, contractors, consultants, MSPs, and one-off integrations. No access should go untracked.
2. Assign internal ownership
Designate a clear internal owner (IT, security, procurement, or legal) for each vendor. They’re responsible for ongoing risk reviews, access decisions, and lifecycle management.
3. Tier vendors by risk level
Group vendors into risk tiers based on:
- Level of data/system access
- Sensitivity of data handled
- Criticality to business operations
Focus resources on high-risk vendors first.
4. Standardize onboarding
No vendor should be onboarded without a formal risk check. Require:
- Completed security questionnaires
- Review of SOC 2, ISO 27001, or similar certs
- Privacy policy and DPA review
- Internal sign-off in the procurement process
5. Embed security into contracts
Include security obligations in contracts and DPAs:
- Required response times for incidents
- Clear breach notification requirements
- Audit rights and compliance expectations
- Make accountability enforceable
6. Monitor vendor activity continuously
Static reviews aren’t enough. Implement tools for real-time visibility, including:
- Alerts for vendor security incidents or data access anomalies
- Human risk management technology in generative AI and collaboration tools
- Runtime security protection in collaboration platforms to flag oversharing and unauthorized access
7. Manage the full vendor lifecycle
- Quarterly: review access and adjust as needed
- Annually: reassess risk, update contracts
- End of engagement: revoke access, retain records, document offboarding
Ensure workflows and responsibilities are clearly defined.
8. Integrate vendors into your incident response plan
Your IR plan should detail:
- Vendor communication protocols
- Escalation paths and timelines
- Breach disclosure responsibilities
Review and test the plan regularly.
9. Enable auditability and reporting
Track and document:
- Current vendor list with access levels
- Risk tier and review dates
- Onboarding and offboarding actions
This supports compliance and keeps leadership informed.
Real-time defense against insider threats
Visibility is the foundation of effective third-party risk management. It’s how you verify vendors are meeting security commitments and catch insider threats before they escalate.
That’s where Polymer comes in. Our runtime security solution gives you real-time visibility into what support agents are doing across platforms like Zendesk, Microsoft Teams, and ChatGPT. It offers:
- In-the-moment nudges to prevent oversharing
- Adaptive access controls
- Human risk management across AI and collaboration tools
- 24/7 monitoring and automated remediation
Don’t wait until it’s too late. Discover how Polymer can give you the visibility and control you need to protect your business from insider threats. Request a demo today.