From major attacks on payment data to identity theft issues and username and password breaches, the problem when it comes to data security is often not the result of the actions of the business or user, but rather that of a third party. Today’s businesses must understand the potential security risk this presents, and identify experienced vendors that can be trusted with network access.
External Vendors
Businesses face two different types of third-party security issues: contracted and programmatic services. Contracted services are external vendors that, due to the nature of their service, require access to corporate data. This could be accounting services, data storage, email, payment systems or any of the cloud service offerings that replace or supplement previously internal-only services. Programmatic services are partners who work with selected vendors to assess and remediate potential code problems, and can work with your business to develop and deploy an ongoing process to assure security and compliance.
In both of these cases, you need to make sure that a risk assessment analysis is performed on the third party’s data security plan. This is to assure that the planned third-party vendor is actively complying with industry standards for information security, and is proactive about applying patches and fixes to their infrastructure as they become available. While an undiscovered zero-day exploit is difficult to defend against, a failure to respond to a known issue is unconscionable.
Contractual obligations regarding security should be clearly defined, much like the traditional service-level agreements familiar to IT. While placing blame is secondary to repairing the damage done by a security breach, third parties should be held responsible, with clearly defined penalties for failure to maintain their own security infrastructure.
A Threat from Within
While there is no guarantee that any of these actions will prevent a third party security breach, they should at least mean that your internal IT is on top of the issues and can quickly mitigate any damage. Which brings us to the second problem: end users who use third-party services as part of their workflow. In this case, you run risks on both the front- and back-end.
Back-end failures from app vendors such as Slack, Dropbox, Uber, and many others have given away access to, at the very least, username and password information. This could potentially include credit card information as well, in addition to the personal/business data stored by the applications. Limiting exposure in these incidents requires that you have business rules in place limiting how users can use these personal apps with business data/credit card information. The basic problem is the same as any other situation where end-users can take business information outside of your protected sandbox—they need to be constantly reminded of their responsibility for that information.
And it can get even worse. These well-publicized issues with hacked phone apps deal only with the secure, tested versions of the vendor apps, meaning the ones officially released to the public. But according to a November report by The Register, just about every single one of the top 100 apps for iOS and Android have hacked versions in the wild, opening up the potential for an immediate security breach on installation.
Like any security issue, a top-down approach is necessary to provide the most secure infrastructure possible, with technical, contractual, and educational aspects addressed at all levels of the business. So, is your IT infrastructure ready?