Data breaches and the blame game
13 September 2018
Vendor View: Javvad Malik, security advocate at AlienVault, an AT&T company
Data breaches are at least a weekly occurrence, and when they are finally disclosed – the blame game begins. From companies offloading the fault to third-party suppliers, cloud providers or even those they trusted to carry out security audits, it can get messy. However, hindsight can be a wonderful thing.
Using the lessons learned from three different (yet typical) data breach scenarios, we can ensure these scenarios do not become a reality for organisations. After all, and particularly in light of GDPR which places ultimate responsibility with the data controller (ie the breached business), no company wants to suffer a breach.
Also of interest: Worried about cryptojacking? Here’s what you need to know
Scenario 1 – Third-Party Supplier Data Breach
Applebee’s, Saks Fifth Avenue, Lord & Taylor, Chili’s and BestBuy are just a few recent victims of third-party supplier data breaches. Whether it was a compromised contractor, third-party payment system or other outside vendor, the outcome was the same in all cases: a breach of customer personal information.
Supply chain security can be one of the trickier aspects of modern business security; there are so many variables involved and therefore more potential points of exposure. To lock down these vulnerabilities, it’s important for organisations to firstly do their homework about the third-party suppliers they choose.
Do they have up to date security certifications such as PCI DSS? While this is not a tell-all, it will be a good first point of indication that they have invested some time and effort into securing customer payment data.
If a company chooses to use a contractor for certain business functions, it is also vital that a background check is performed and that they are verified with up-to-date references. And this verification must be performed before access is granted to any company systems.
Furthermore, to increase security, two-factor authentication or another form of identity and access management should be deployed. This will minimise the risk to company data and ensure the legitimacy of the person attempting to access information, particularly if remote access is required.
In addition to these foundational background checks, companies need to have sufficient monitoring and detection systems in place to detect anomalies and alert security teams to potential threats or security issues.
Scenario 2 – Data breaches in the cloud
With many companies moving to the cloud and jumping in feet-first, it’s easy for employees and those using it on a day-to-day basis to take the cloud, and the security of the cloud, for granted.
A simple example is the AWS S3 cloud repositories, or buckets, which Amazon describes as: “a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of websites. The service aims to maximize benefits of scale and to pass those benefits on to developers.”
While the benefits are many, one would only have to ask WWE, GoDaddy or even the US government how carefully the security of these cloud repositories needs to be considered. In each case, personal records, including those of US voters, were exposed due to improper configurations of an Amazon S3 bucket.
Though Amazon has taken steps to minimise the instances of leaky buckets by reminding customers about security, ultimately, the responsibility is with Amazon customers to ensure these online repositories are sufficiently protected.
Indeed, when playing the blame game, cloud providers are very clear about where their responsibilities lie and what they can be held accountable for. Even under GDPR, the data owner - or the organisation using the cloud provider to store or process its data – is liable for protecting sensitive data of customers or employees.
Therefore, it is pertinent for all companies that use cloud services to check and double check their contracts of service and know exactly where each party’s responsibilities fall. Often, security services can be purchased as an add-on through a subscription basis, so it makes sense to find out what options are available in the cloud for the best protection.
Also of interest: A day in the life of an ethical hacker
Scenario 3 – Audited, but still breached
Companies may feel that simply ticking boxes and getting the auditors to do a security audit of their infrastructure and data processes will be sufficient to prevent a data breach. But the reality is that most companies who have fallen victim to a data breach were actually compliant at the time of the breach.
This highlights the false sense of security these audits can present. While it is definitely a worthwhile step in finding out where the risks may be in the business, companies cannot solely rely on these audits as a guarantee that they will not get breached.
Trustwave found itself in a precarious situation when insurers tried to collect some $30 million in pay-outs from the infamous Heartland data breach of the late noughties. Certainly, this case could set a dangerous precedent for security vendors going forward and vendors will have to be careful about how they position themselves to customers in the future.
As a rule of thumb for organisations, they should not just rely on these audits and still need to have an internal security team checking and validating results on a regular basis to make sure they don’t end up in trouble over a data scandal.
Also of interest: Mental health and cyber security: do we have a problem?
Assuming responsibility for a data breach is never going to be an easy situation for any modern organisation and the stark reality is that with limited resources, the need to outsource or pull in third parties to maintain business as usual is now a necessity.
However, with a little forethought and planning for the worst and learning from others, companies can help themselves minimise these risks. And if the worst should happen, at least they may have a way to prove they have taken all the necessary precautions to avoid a data breach scenario.