Posted by Scott Schneider on July 27, 2017
In May of 2017, it was discovered that an exposed data repository, an AWS S3 bucket, had allowed semipublic access to the details of at least 2.2 million customers of Dow Jones & Company. The mistake was a simple one: the bucket’s permission settings were set up incorrectly, allowing anyone with a free Amazon AWS account to access the content.
This leak highlights the ease with which a simple mistake in one security setting can jeopardize the personal information of your customers. The costs of such carelessness are regulatory fines, a damaged reputation, and a possible lawsuit.
You may not think that it could happen under your watch – but how much of your data security is really under your control?
Do You Know Where Your Data Is Stored?
It’s likely that your business is using tens, or potentially hundreds, of third-party SaaS applications to do everything from manage prospects and clients to help handle accounts. These applications save your business time and money – but they also put your data in the hands of someone else.
Most of these applications store their data in the cloud, much of it in the same type of data repository as was the leaked Dow Jones Data. What guarantee do you have that your data hasn’t been left unencrypted and accidentally made public?
Your Biggest Data Security Mistake
When most businesses hand over data to a third party, they do so under the mistaken belief that this company now has responsibility for securing that data, barely giving data security a second thought once the application is in use.
Although third parties should and do provide security, the overall responsibility for protecting the data is still yours. If the data gets leaked, it is you and your team who will be held accountable by your shareholders and customers, not the third party.
Even if the third party is contractually obliged to cover the costs of any data security problems, you must still retain oversight.
You Need A Complete Overview of the Data Chain of Custody
You rarely have detailed insight into how third parties are handling data, which means there are a lot of unanswered questions:
- What security policies do they have in place?
- Where is your data stored?
- Do they regularly use contractors? What access do they have to your data?
- Which other third-party services do they rely on – could any other businesses access your data?
The problem with getting this information is twofold: Firstly, third parties are only likely to reveal the amount of security information required contractually, but this may leave out critical information. Secondly, with most businesses using many third parties, the job of tracking them becomes time-consuming and expensive.
Implementing a Third-Party Risk Program
Manually tracking the security policies that your third parties use is impractical, if not impossible. CyberGRX is a cyber risk exchange platform that enables businesses to access up-to-date risk assessments for a diverse range of third-party organizations.
By outsourcing and automating your third-party risk assessments, you benefit from a considerable increase in efficiency and a corresponding reduction in cost and complexity. This allows you to easily assess and reduce your exposure to risk, helping you decide which third parties to deal with and which to reject.
The time-and-cost savings a tool like CyberGRX provides allows you to invest more resources into your own security, further reducing your risk.