Are Third-Party Data Vendors Safe?

Most companies today use some type of third-party data solution. But are those third-party vendors safe?

We all know that companies collect and keep our data.

And there’s a purpose for this, usually. That data is what creates personalized, relevant experiences that keep us coming back again and again. Like product recommendations based on what you’ve already bought or an email that addresses you by name.

But what you might not know, as a consumer or even an employee, is where that data goes. Or who has access to it.

It’s not uncommon for companies to store their data off-site. In fact, a lot of brands rely on third-party storage, data processing and analytics solutions, especially cloud-based ones. But that convenience might come at a cost.

You might be wondering, is this really a problem? And if so, how big is that problem?

According to research from Wiz, only 4% of organizations don’t have third-party apps in their environment. Meaning 96% of companies are potentially at risk of data leaks, account takeovers, supply chain attacks and more.

The Problem With Third-Party Data Vendors

Why do brands even bother offloading their data to a third party in the first place? For one, it’s typically cheaper than hiring a dedicated in-house team; especially if you decide on a vendor in another country, such as China or India. And for a lot of companies, that bottom line is the deciding factor. It frees up time, meaning your in-house team can focus on other, seemingly more important tasks.

Plus, as mentioned above, it’s convenient. A cloud-based data storage solution is always available to you online. You can upload your data instantaneously, and you can also access it any time you need. Many companies look at these benefits and think, “Great, this is the best solution for the company!” And while some pause to think about the risks and precautions they must take, many do not.

That’s how you get stories like the January 2022 data breach from the Red Cross. The non-profit, which stored its data with a Switzerland-based contractor, lost data on more than half a million “highly vulnerable people” — those receiving aid and charity services across the globe.

American Red Cross HeadquartersWikimedia Commons

Or the older but more infamous attack on Target that occurred in 2013, when credentials were stolen from the retailer’s third-party vendor. The result? Attackers gained access to customer names, phone numbers, email addresses, credit card numbers, credit card verification codes and other sensitive personal data.

These types of attacks and breaches occur every day. In fact, the FBI claims they receive more than 2,300 complaints regarding cybercrime (personal data breaches, phishing attempts, ransomware attacks, etc.) each day — a whopping 552,000+ per year. And the cost of these cybercrimes? $6.9 billion in 2021 alone.

Why do these attacks happen? Are companies lacking the resources or knowledge on how to keep data safe? Are they failing to do their due diligence? Or are hackers simply too smart to keep out?

Related Article: A Data Breach Will Happen to You: Here’s What to Do

It’s All in the Setup

One of the first things a company does after purchasing or subscribing to a third-party storage solution is set it up. And that’s where part of the problem lies. Any platform you use, whether related to data or not, has hundreds of settings. And as you customize your cloud-based data platform, in a perfect world, only you have access to it, only you know it exists and it is not publicly available online.

But this is not a perfect world. Bill Malik, VP of infrastructure strategies at Trend Micro, pointed out that other team members will invariably have access to this platform — those who are knowledgeable about data safety and those who are not. The third party itself may have access to this data.

“And if any one of those people gets any one of those 500 or so settings wrong,” said Malik, “then that information is visible.” He added, “The sad truth is that although there have been four or five incidents in the past five years where the cloud provider messed up and made stuff visible, the other thousands of security breaches have all been because the user’s setup was misconfigured.”

Therefore, those purchasing the platform, and those configuring it, ultimately have the responsibility of knowing how to use it. “If I buy a car and I drive it into a tree, that’s not the manufacturer’s problem,” said Malik.

Who Has Permission?

A lot of third-party storage platforms are complex, to the point where companies don’t understand how to use them and don’t know what permissions they’re giving away.

The Wiz discovered that 82% of companies using third-party cloud-based vendors give these vendors access to all cloud data — with more than 90% of those companies completely unaware of it. And these vendors do not need this access for any (good) reason. On top of that, 76% of organizations had at least one program that would allow for a complete account takeover — a privilege that should never go to a third-party vendor and should even be closely monitored in-house.

One privilege data storage vendors often bake into their platforms is read-only access. And companies that see this privilege often overlook it, thinking it’s likely necessary for the third party to do its job and it isn’t associated with any real risks.

However, if the wrong person gains this privilege, it could lead to the leakage of personal information, company secrets and other data stored in the cloud — even by accident. In fact, human error is the leading cause of data breaches, according to Netwrix. While vendors may say they require read-only access for easier deployment, it’s not necessary.

“Unless the hosting vendor also provides services to the brand (e.g., data maintenance, processing) there should not be a scenario where the storage vendor has access to the data,” said Kristina Podnar, global digital policy adviser at XRSI. “The data should be encrypted and only those individuals granted permission by the brand (presumably brand employees with a dedicated admin account) should be able to access the data.”

From Third-Party to Third-Party

One common problem Malik pointed to is the hand-off of information. For instance, say you give your data to a third party to perform analytics with the agreement that the information will never leave the United States. Then that third party hands off the project to another team, who may even hand off the data to another team. And somewhere down the line, that agreement is lost, and now the data is in another country.

One risk is the (customer and company) data is no longer protected — information like credit history, bank account information, addresses, etc. And someone could use this data to potentially make fraudulent purchases and steal identities. That’s the most obvious risk. But experts have now pinpointed a second, even larger risk.

“It’s not just the fact that the guy may pick my pocket,” said Malik, “but before he does, he’s going to take a look at my contact list and my social media history and come up with a profile that will then make it easier for me to be targeted.”

Source link

We will be happy to hear your thoughts

Leave a reply

Reset Password
Shopping cart