The Scariest Breach – Your ‘Trusted’ Partners – Part Two
This is Part Two of a two-part blog, with suggestions from cybersecurity experts on how you can proactively manage the growing problem of third-party data breaches. Read about the risks in Part One of the blog.
I was rather verbose in Part One of this blog, hence the need for a Part Two, but I am somewhat passionate about the problem of third-party data breaches. Assuming you read Part One, you should be worried about your security plan for partners, contractors, suppliers, vendors, internal staff, and who knows who else.
Data security risk through third parties is a pervasive problem that few organizations are managing well. According to consultancy firm Booz Allen Hamilton, the majority of third-party risk incidents at organizations are likely to occur in existing relationships. These existing relationships are often under managed, due to poorly understood key risk indicators, difficulty in obtaining relevant and timely information, and limited relationship manager dedication or training. A data breach caused by a third party seems rather unfair, as you still get the blame for compromising data. But it’s important to understand that you do have to take the blame and are responsible for any required remediation steps, including financial and legal.
Rather jolting numbers from Ponemon Institute show, “The average number of third parties with access to sensitive information at each organization has increased from 378 to 471. That number might be a little low. Only 35 percent of companies had a list of all the third parties they were sharing sensitive information with.” So, what do the experts say?
According to cybersecurity consultant Brandon Dobrec, an appropriate internal plan should include cross-functional vendor management teams, such as sales, development, and marketing. These overseers can interface with both the chief information security officer’s organization and other stakeholders, such as the chief financial officer. The plan should maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied. In his article Dobrec commented, “The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It’s better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the dark web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly or spilled out of a larger third-party breach. Early warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.”
Risks in the Value Chain
Almost all companies use software and hardware sourced externally. A supply chain attack is also called a value-chain or third-party attack, and occurs when a partner or provider infiltrates your systems and data. This represents a considerable risk to your organization. Every device and application needs to be vetted, monitored, and all patches need to be up to date. To assist in the vetting process, we recommend cleaning up your content stores to find all unknown vulnerabilities, and applying the appropriate protection. Read how one of our clients addressed its content optimization, to reduce risk and ensure compliance.
If you have quite a few vendors and partners, you need to have a formal security program. It’s not a good use of time to develop a specialized program for each partner, as this could lead to gaps in protection. It is highly recommended that your organization involves key people in the development of each plan, to create a coordinated security effort across all your environments. Don’t take an ad hoc approach. In addition, the security program should be the same across all vendors, unless there is a rare exception. You also need to address the suppliers your partners do business with, as they are part of the supply chain. Include contractual information because if you terminate a relationship with a supplier, it may still have your confidential data.
Include in the contract detailed information on the security safeguards and measures that must be adhered to. You can provide a service level agreement (SLA), require security assessments of third-party systems, and use an audit clause allowing independent security audits. And your organization must be certain that your vendors have access only to data they are authorized to use.
According to an article by Nick Lewis in TechTarget, “When vetting a service provider, the elements of its business to be reviewed should include: its employees, the physical security of its facilities, the transport of the equipment to and from the service provider, its disposal process, and its overall process for monitoring its environment to detect unauthorized access, as well has human resources standards, such as requiring a background check of employees. If a third-party organization has performed a SAS 70 or SSAE 16 attestation for the service provider, the report should be reviewed to understand if the service provider’s security practices meet an enterprise’s security requirements.”
- Secure systems from the start. Assets, such as heating, ventilation, and air conditioning (HVAC) or point of sale (POS) systems can be liabilities, if they are housed on your network without proper security. From the moment they’re installed, they should be secured.
- Install network monitoring and antivirus software. Ensure that your network is being continuously assessed for potential threats. Before implementing, evaluate your options, such as intrusion detection systems, with your IT department and security provider.
- Utilize a secondary network. It’s best to house sensitive data, such as customer information or intellectual property on a second, secured network. You can also back up that information in the cloud to avoid information loss in the event of a data breach. Remember, security must also include your cloud and application provider.
- Conduct privacy and data protection risk assessments that cover third parties.
- Opt for single sign-on solutions, and implement strong password security.
- Use document management software.
- Evaluate ISO 27001 certification.
Internal Security Risks
Unfortunately, your end users can pose considerable risk and are becoming more frequent culprits of data breaches, either intentionally or unintentionally. Of course, training is imperative, but most organizations don’t do training. In a hurry, end users unintentionally send confidential information to a third party, they borrow a user ID and a password from someone with greater security access, and simply make mistakes – hey, we are all human. The two key lapses are deprovisioning and shadow IT.
I think we all know that a salesperson could abscond with the client list. Typically, a clause about this is in their contract, but it doesn’t seem to matter. I have known only one company that used legal procedures to go after an employee for breaking their contract. The deprovisioning of soon-to-be ex-employees is often very lax. The problem is magnified when dealing with staff who are embezzling data.
How lax are organizations? According to OneLogin survey respondents:
- 20% say failure to deprovision has led to a data breach.
- 48% are aware of former employees who still have access to corporate applications.
- 50% say ex-employees’ accounts remain active once they have left the company.
- 25% take more than a week to deprovision a former employee.
- 25% say they don’t know how long accounts remain active once an employee has left the company.
- 44% are not confident that former employees have been removed from corporate networks at all.
This source of risk can be mitigated. Organizations need to address the dismissal of employees immediately, meticulously, and comprehensively. This means terminating access to systems, applications, and ownership of content. They need to document the process so that it is easily repeatable. This can reduce, if not eliminate, any risk from former employees. Read how one of our clients solved its data ownership issue and addressed data breaches.
I think by now all organizations are aware of shadow IT. For those who have had their heads in the sand, it occurs when end users download applications they need to get their jobs done, without any authorization. The problem is twofold. The first part of the equation is to identify what end users are downloading, or uploading, and undo whatever damage has been done. The IT team must have control. The second part is to take a good, hard look at the tools they are using and why. In some instances, the organization needs to determine whether specific software and tools need to be purchased and made available to the organization as a whole. Some may be well suited and appropriated as standard. It goes without saying that end users need training, and must gain an understanding of how their use of unsanctioned tools can cause irreparable harm to the organization. You can use our content optimization and file analytics solution to create an inventory of assets and applications, and their ownership.
In summary, organizations need to switch their focus from process compliance to risk management as increasing risk bombards organizations from all directions. Admittedly, most organizations have limited resources to identify and manage risk, but the success or failure of risk management depends on the ability of organizations to execute it.
So, there you have it. If you managed to read the whole blog, I applaud you. There is a plethora of information available now on the Internet, and I couldn’t squeeze it into just a few pages. I hope this, at least, gets you thinking and leads to positive outcomes.