Data breach risks: Not just the insider threat

Data flows with business partners need as much attention, if not more. Here are key questions and considerations to get you started.

There's a very large push within the last few years for organizations, of all types, industries and sizes, to spend the majority of their data protection efforts on the "Insider Threat". That's to say, focusing in on the employee or temp with the access already in hand, who then could decide to misuse or abuse those given privileges. It is true, the insider threat needs to be addressed and given attention. But is it possible that some of us are focusing on that too much and losing sight of what may be happening on the outside?

The question to consider here is: "What about the critical data assets businesses willingly send out externally?"

For example, a bank needs to share information with auditors, regulators, suppliers, vendors and partners. The data transfers associated with these external organizations are absolutely critical for continuing business. However, they also happen to be quite risky activities, with an elevated probability of data loss, and thus a huge negative impact to the bank's reputation, when not properly controlled.

[Also see PCI and the art of the compensating control]

With the necessity to share information, and the increase in vectors and formats in which data can be distributed, points for consideration include the following.

Threats must be considered

  • What or who is placing the data at risk?
  • The data, as it flows externally from your firm's environment, is subject to all types of threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party's network.

Possible risks should be accounted for and documented

  • The threats mentioned above create serious risks around a firm's critical data assets. One of these risks is the obvious loss or breach of confidentiality or data. If Firm X doesn't have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.
  • Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense and loss of client trust.

The appropriate security controls need to be enabled in order to counter those threats and mitigate the risks.

  • The set of controls to consider are not only those pertaining to electronic data protection, such as software/hardware encryption.
  • This goes beyond technology, to things such as social, governance, operational and process controls, to protect against such things as social engineering and ensure other factors are in place including password policy, user access/entitlements processes and data security awareness activities.

Once your organization's information leaves its own environment, most of the controls you have in place no longer apply. That data is now sitting on a third party's infrastructure, and is now dependent on their data security controls and processes. This isn't just about whether the data is being encrypted in transit to that third party, but very much about how that data is safeguarded all throughout its lifecycle.

Here are some relevant questions you must ask to help ensure proper controls for external data flows.

  • Have the proper confidentiality or non-disclosure agreements been executed with the 3rd party receiving the data?
  • How will the data be transmitted to these external partners? Will there be proper encryption (e.g. SSL, PGP, TLS) for electronic transmission and adequate physical controls (e.g. encrypted tapes, secure trucks) for media transport?
  • How many people will have access to your data while it is stored or processed at the 3rd party? And who are those people?
  • Do you know the 3rd party's process for giving only the limited and necessary group of people in their environment access to your data?
  • What about the access rights to people outside their organization, such as one of the 3rd party's partners or vendors —in other words, your partner's partners? Has the 3rd party in turn reviewed its external contractors', vendors' and suppliers' security controls, to ensure any data forwarded to them will be well controlled?
  • How are the servers and firewalls at the 3rd party?
  • Do the external party's communication rooms and data centers have all the appropriate physical controls in place, including proper badge access and environmental factors?
  • Does the 3rd party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data loss incident?
  • What security technical and process controls are in place to protect against data leakage from the 3rd party's portable media, mobile devices and email communications?
  • Has the 3rd party been audited or undergone internal / external reviews (e.g. SAS-70, ISO27001 certification)?
  • How will the data being stored or processed by the 3rd party be destroyed or returned once not needed?
  • Does the 3rd party have an awareness and education program to ensure its employees follow protocol to protect its clients' sensitive information?

Clearly your questioning of business partners must to take into account technological, operational, and process control perspectives. Let's consider a real-world example that illustrates why:

A bank business manager decided one day to send the firm's tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. Turns out that email was intercepted at the CPA's ISP mail server. A rogue administrator at the CPA's email ISP saw the mail with critical valuable data and used it to tap into the bank's equity funds and make off with $1.2M.

Per the Open Security Foundation's DataLossDB data loss statistics so far in 2011: "Data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning."

In the end, the riskiest environment for data is one that is not controlled by an enterprise owning that data. An insider with the access and intent can cause havoc, but with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It's when the data leaves that environment where we're truly no longer in control. That's when the proper audits, interrogations and testing will assist as much possible.

Andres Tabares, CISM, CRISC, CISSP is a Data Security Professional with Aujas (www.aujas.com), a Global Information Risk Management consulting firm. He can be contacted at AndTab@aol.com.

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!