There's a very large push within the last few years for many organizations to spend their data protection efforts mainly on the "Insider Threat" – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.
The question to consider is: "What about the critical data assets businesses willingly send out to external organizations?"
Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm's reputation, when not properly controlled.
Here’s what you need to consider when you share data outside your company:
- Threats
- What or who is placing the data at risk?
- The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.
- Risks
- The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn't have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.
- Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.
- Security Controls
- The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.
- Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.
The bottom line is that once your firm's information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party's infrastructure, and is now dependent on their data security controls and processes. This isn't just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:
- Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
- Who and how many people will have access to your data while sitting out at a third party?
- Do you know the third party's process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
- How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
- Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?
These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.
As an example, a bank business manager decides one day to send the firm's tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.
Per the Open Security Foundation's DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:
“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”
In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.
Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.
