Third party data breaches escalate risk
The majority of data loss incidents have one thing in common: they revolve around third-party data breaches. The recent State of Third Party Risk Management 2020 report from RiskRecon, a Mastercard Company, found that 31% of respondents have vendors they consider to be a material risk in the event of a data breach. Only 14% trust that their third-parties’ actual security matches responses from their vendor assessment questionnaires. What’s more, the typical ratio of third-party vendors to staff who manage assessments and third-party programs is 50:1. That leaves plenty of room for errors.
Third-party risk is certainly not a new risk vector. But in our hyper-collaborative economy, it’s rapidly rising in significance. Whether you’re in financial services, telecommunications, manufacturing, or Hollywood, your greatest risk to data loss occurs when content moves outside of your direct control. Yet we can’t afford to stop collaborating. What’s needed is data-centric security, a way to keep control over this valuable information without paralyzing the ability to do business.
In other words, it’s time to rethink the way companies address vendor security. As more stringent data protection regulations go into effect (i.e., California’s CCPA and CPRA, New York’s SHIELD Act), every organization will need to keep pace. Companies need strong preventative controls that protect their data as it leaves their hands, especially when it’s stored with third parties. The bigger, stronger walls we’ve built are excellent at keeping attackers out, but they can’t protect data we’ve entrusted to others.
By applying security and identity-based access controls directly to the data, companies can mitigate the risk of human errors stemming from many common occurrences. Employees accidentally autocomplete an external email address, forward a file they shouldn’t, or move sensitive data off of controlled systems. People will always be a weak link in the information security process. But by applying default data encryption and setting automated policies and controls, IT can take human decision-making out of the security equation.
To accomplish this task, we’ve compiled five recommended practices that can help organizations move to a more proactive security model for avoiding third party data breaches.
Take a data-centric approach
By taking security to the data level, organizations can enable their employees to confidently collaborate freely with whomever they choose, while ensuring the highest levels of security, visibility and control.
Encrypt more data by default
Another mistake companies make is putting complete trust in their employees to do the right things. The great majority of employees certainly want to, but must may not know what or how. Let IT make it easy for them and set policies that will automatically be applied when data is created or shared externally. That’s especially important to apply file encryption for data shared through popular collaboration platforms like Dropbox, Box and Google Drive have strong security, since if downloaded, those files could go anywhere.
Plan for auditing and compliance now
With many new regulations in the US and abroad, almost all companies are now required to provide a paper trail or audit log of what happens to their data. Taking steps to plan for these audits will well prepare you for a third party data breach, should it happen. When you can see who has tried accessing your data, and where, you can mitigate the risk of having to issue a notification, and can take steps to minimize future issues.
Make identity a central component of security
Tying access control to identity gives you control over who has access to your data by making users authenticate to you directly using an email alias. This can prevent forwarding information to unauthorized users or accidentally fat-fingering an email address. Giving data owners the ability to control who can access your data and limit what they can do with it once it’s accessed provides an extra layer of security.
Don’t just monitor: take direct control of your data
In the event of a third-party data breach, or if your data accidentally finds itself in the wrong hands, you need to be able to kill access to it at a moment’s notice. No matter how high or how strong we build protective barriers, we’re always going to be at risk of a breach. A hacker’s biggest win is gaining access to your data. Proactively locking down any data they may get their hands on is a huge advantage.
By taking a data centric security approach, you can protect your team against data loss, even for files that have left your physical control. Moreover, you can proactively prevent unauthorized access, and track precisely who should (and should not) have access to your data. This approach will let you secure files and communications throughout their entire lifecycle. You’ll be confident that even if your data is sent externally, you can still verify that it was used appropriately.