This week we were reminded of how important it is for companies that share data with third parties to better understand the security postures of their partners and to protect their data before it's shared. In other words, your data is only as secure as the least secure link in your supply chain.
This idea was brought to the forefront when news hit that a third-party vendor data breach exposed payment card information belonging to customers of Delta Airlines; Sears, Roebuck and Company; and possibly additional businesses, according to this article in SC Magazine by Bradley Barth.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data, according to Maria Korolov in her article for CSO. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
In “GDPR and the End of Reckless Data Sharing,” in Security Roundtable, James Staten believes that the impending EU data protection regulations may finally bring focus to this important issue. He says that most companies today are at risk of non-compliance, since few, if any, have full control over their customer’s data. While many organizations have made strides in protecting the data that sits in their primary repositories, they might not consider the myriad ways in which they share that information today.
What have you done to protect sensitive information that you share with your ecosystem partners and technology providers? We would love to hear from you. In the meantime, here’s a roundup of other top data security stories making headlines or providing insights for the week ending April 6, 2018:
“How Privacy Crisis Could Change Big Data Forever,” by Todd Spangler in Variety: Even when companies conduct a cost-benefit analysis on whether to adopt stronger user privacy controls or other enhanced security, many still opt to do nothing — as long as the potential fines or remediation costs are in a tolerable range.
“Is Your Data Fit and Future-Ready?,” by Mike Anderson in Information Management: How can companies ensure they’re leveraging the data revolution to optimize opportunities, while overcoming the challenges that lie ahead?
“Pseudonymisation is Helping Firms Comply with a New EU Privacy Law,” in The Economist: Pseudonymisation promises to help companies process data in ways that comply with GDPR and even liberate the more scrupulous to make money from their data sets in new ways, freed from privacy limitations which had previously kept data locked away.
“Zuckerberg: Boy That EU Privacy Law Is Great, Just You Know, Only in the EU,” by Tom McKay in Gizmodo argues the very fact that companies like Facebook and Google will not commit to following the guidelines of GDPR globally is the reason why they need to be forced to do so.
“GDPR: Balancing Privacy and Innovation to Create Opportunities in Banking,” by Alan McIntyre in Forbes: As banks increasingly collaborate with third-party providers to develop value-added services, they will need more far more granular consent from their customers.
“Banks Preparing for Heightened New York Cybersecurity Laws to Take Effect,” by Shaun Waterman in Cyberscoop: Senior executives from more than 3,000 banks, insurers and other financial services companies doing business in New York will now have to personally certify that their computer networks are protected by a cybersecurity program appropriate for their organization’s risk profile.
“New York is Quietly Working to Prevent a Major Cyber Attack that Could Bring Down the Financial System,” by Brennan Weiss in Business Insider: With a lack of leadership from the federal government, New York is one of the first states to implement new cyber regulations. But even with the strictest cybersecurity regulations in the country, experts warn these efforts may still not be enough.
“Healthcare Pros Worry about Data Security at Other Organizations,” by Fred Donovan in Health IT Security: While healthcare IT professionals are confident their own organizations are doing enough to thwart cyber attacks, they are not so sure about the data security capabilities of their business partners.
“Hudson's Bay Probes Data Security at Stores Including Saks,” by Rachel Adams in Bloomberg: The Toronto-based department store operator is investigating a data security issue involving information from as many as 5 million payment cards used at certain Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor stores, the company said in a statement Sunday.
“Panerabread.com Leaks Millions of Customer Records,” by Brian Krebs in Krebs on Security: Bakery-cafe chain Panera Bread’s website leaked customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months.
“UK Businesses Financially Unprepared for Cyber-Attacks,” by Mark Mayne in SC Magazine: Despite the prevalence of cyber-threats facing every market sector, two thirds of U.K. businesses do not have a financial plan in place in the event of a cyber attack.
“Industry Leaders Struggle to Balance Digital Innovation and Security,” in Help Net Security: Companies are struggling with the tug-of-war between advancing digital innovation and ensuring secure digital experiences that maintain user trust and mitigate risk.
“CISOs' Top 4 Cybersecurity Priorities,” by Jon Oltsik in CSO: When cybersecurity executives head to the RSA Conference, they will be looking for information about threat intelligence, SOAPA, business risk, and changing security perimeters.
“Can Europe Lead on Privacy?” by Tom Wheeler, a former chairman of the U.S. Federal Communications Commission, in The New York Times: The United States government has a lot of explaining to do. Why is it that American internet companies such as Facebook and Google are required to provide privacy protections when doing business with European consumers but are free to not provide such protections for Americans?
“Privacy Groups Ask Tech Companies to Sign User Data 'Security Pledge',” by Mallory Locklear in Engadget: A number of organizations including the ACLU, Fight for the Future and Color of Change have called on tech companies to sign a pledge and commit to protecting their users' data. The move comes as repercussions of the Cambridge Analytica scandal continue to unfold.
“Americans Resigned to ID Theft, But Taking Steps,” by Tara Seals in Infosecurity: The frequency of attacks on Americans’ personal information has fostered a feeling of inevitability among citizens, but many are changing their behavior to protect themselves.
What was your favorite data security story this week?