Here we go again. When news broke Feb. 27 that a Dow Jones database of 2.4 million businesses and individuals was left on a public server without encryption or password protection, it exposed one of cybersecurity’s most chronic and pernicious problems: risk from third-party vendors and contractors.
A Dow Jones spokesperson blamed an unnamed “authorized third party” for leaving the records unsecured on the Amazon Web Services-hosted Elasticsearch database. The data is part of Dow Jones’ Watchlist, which the company says is used by eight of the world’s largest financial institutions to identify high-risk clients and politicians. The exposure spotlights an all-too-common issue — organizations focus on strengthening their own cybersecurity posture but maintain inadequate controls for third parties that have access to the client company’s network or sensitive data.
The Dow Jones incident is a particular head-scratcher because third-party risk isn’t exactly new news. Some of the most infamous breaches of recent years occurred after hackers gained access via an unsuspecting third party, including the “big bang” that first drew international attention to the problem: the 2013 attack on Target that affected more than 41 million of the retailer’s customer payment card accounts. The attackers gained access through credentials stolen from a heating and air conditioning contractor.
In 2015, a massive server breach at the U.S. Office of Personnel Management (OPM) compromised sensitive personal information of about 21.5 million people. It occurred after attackers posed as an employee of an OPM subcontractor. It’s now four years later, and these kinds of incidents keep happening.
The trend towards outsourcing and digitization means that a typical company can rely on dozens of vendors and contractors to perform important business functions. Understanding and managing the cybersecurity posture of what has become a shared ecosystem is crucial. A McKinsey report has said third parties “might be the weakest link of a company’s value chain.” There’s even an industry term for this development, vendor risk management.
The most recent Ponemon Institute “Data Risk in the Third-Party Ecosystem” survey of more than 1,000 security and risk professionals found that 59 percent of companies have experienced a data breach caused by a third-party partner – a 5 percent increase since 2017 and up 12 percent since 2016. “What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months,” the report said.
While the Dow Jones episode is yet another reminder of the business disruption and reputational damage that third-party breaches can cause, a new wrinkle is the possibility of incurring the wrath of regulators. The European Union’s General Data Protection Regulation (GDPR) that went into effect in May 2018 includes a strict requirement that gives organizations 72 hours to report details about any type of breach or face fines. (The status of Dow Jones’ reporting to authorities wasn’t clear as of this writing.) The regulatory environment is toughening as well in the United States, where the California Consumer Privacy Act (CCPA) that was passed in 2018 and will be enacted in January 2020 includes similar rules. For example, consumers can learn what data an organization has collected about them, refuse the sale of or delete the data, and sue companies that don’t take reasonable steps to protect their data.
These regulations force organizations around the globe to accept new responsibilities in how they handle data. The use of third-party services such as SaaS applications like G Suite, Microsoft Office 365 and Salesforce, makes data privacy regulations even more complicated for technology, compliance, and management teams.
Of course, the issue of data protection is much larger than mandates such as GDPR or CCPA – it should be a core part of doing business. A good rule of thumb is to only store as much personal information as is absolutely required for the business or applicable laws. You do not need to worry about someone stealing data that you do not have stored.
Here are four key steps organizations should take to mitigate the risk of what happened to Dow Jones happening to them:
- Map data workflows by charting what data is incoming and outgoing.This allows a company to granularly account for specific data types. Mapping provides a holistic view of an organization’s data and an ability to monitor sensitive information across the entire supply chain (and where any regulations might apply).
- Work closely with vendors to ensure cybersecurity strength.There is simply no choice but to ensure that strict, specific safeguards are in place. This should be a top priority for every organization that works with third parties, which is pretty much all of them.
- Understand the extent of your data protection responsibilities. Compartmentalize data based on whether you are processing it, transferring it and where you would be considered a controller of data. From there, you can segregate the security requirements.
- Fine tune internal policies and processes.Develop an internal process and solution to ensure the strongest possible vendor risk management.
As the Dow Jones incident has proven yet again, third-party risk is something that should keep company leaders up at night.
About the Author:
Mike Puglia brings over 20 years of technology, strategy, sales and marketing experience to his role as Kaseya’s chief strategy officer. He is responsible for overall customer marketing, management and development across Kaseya’s portfolio of solutions. Previously Mr. Puglia has been at TimeTrade Systems and Salesforce.com.