Written by Steph Charbonneau, Senior Director of Product Strategy at Vera, by HelpSystems
The majority of data loss incidents have one thing in common: they revolve around third-party data breaches. SecureLink and Ponemon Institute recently released a new report titled “A Crisis in Third-party Remote Access Security”, which revealed the alarming disconnect between an organization’s perceived third-party access threat and the security measures it employs. The report revealed that 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third parties. This is compounded by the State of Third-Party Risk Management 2020 report from RiskRecon, a Mastercard Company, which found that 31% of respondents have vendors they consider to be a material risk in the event of a data breach.
Third-party risk is certainly not a new risk vector. But in our hyper-collaborative economy, it’s rapidly rising in significance. Whether you’re in financial services, telecommunications or manufacturing, your greatest risk to data loss occurs when content moves outside of your direct control. Yet we can’t afford to stop collaborating. What’s needed is data-centric security, a way to keep control over this valuable information without paralyzing the ability to do business.
In other words, it’s time to rethink the way companies address vendor security. As more stringent data protection regulations go into effect (e.g., California’s CCPA and CPRA, New York’s SHIELD Act), every organization will need to keep pace. Companies need strong preventative controls that protect their data as it leaves their hands, especially when it’s stored with third parties. The bigger, stronger walls we’ve built are excellent at keeping attackers out, but they can’t protect data we’ve entrusted to others.
By applying security and identity-based access controls directly to the data, companies can mitigate the risk of human errors stemming from many common occurrences. Employees accidentally autocomplete an external email address, forward a file they shouldn’t, or move sensitive data off controlled systems. People will always be a weak link in the information security process. But by applying default data encryption and setting automated policies and controls, IT can take human decision-making out of the security equation.
To accomplish this task, we’ve compiled five recommended practices that can help organizations move to a more proactive security model for avoiding third-party data breaches.
Take a data-centric approach
By taking security to the data level, organizations can enable their employees to confidently collaborate freely with whomever they choose, while ensuring the highest levels of security, visibility and control.
Encrypt more data by default
Another mistake companies make is putting complete trust in their employees to do the right things. The great majority of employees certainly want to, but most may not know what or how. Let IT make it easy for them and set policies that will automatically be applied when data is created or shared externally. That’s especially important to apply file encryption for data shared through popular collaboration platforms like Dropbox, Box and Google Drive since if downloaded, those files could go anywhere.
Plan for auditing and compliance now
With many new regulations in the US and abroad, almost all companies are now required to provide a paper trail or audit log of what happens to their data. Taking steps to plan for these audits will best prepare you for a third-party data breach, should it happen. When you can see who has tried accessing your data, and where, you can mitigate the risk of having to issue a notification and can take steps to minimize future issues.
Make identity a central component of security
Tying access control to identity gives you control over who has access to your data by making users authenticate to you directly using an email alias. This can prevent forwarding information to unauthorized users or accidentally making a keyboard input error regarding an email address. Giving data owners the ability to control who can access your data and limit what they can do with it once it’s accessed provides an extra layer of security.
Don’t just monitor – take direct control of your data
In the event of a third-party data breach, or if your data accidentally finds itself in the wrong hands, you need to be able to kill access to it at a moment’s notice. No matter how high or how strong we build protective barriers, we’re always going to be at risk of a breach. A hacker’s biggest win is gaining access to your data. Proactively locking down any data they may get their hands on is a huge advantage.
By taking a data centric security approach, you can protect your team against data loss, even for files that have left your physical control. Moreover, you can proactively prevent unauthorized access, and track precisely who should (and should not) have access to your data. This approach will let you secure files and communications throughout their entire lifecycle. You’ll be confident that even if your data is sent externally, you can still verify that it was used appropriately.