It seems like every week in the news, there’s some new threat or incident involving data security.
This time it’s the U.S. Customs and Border Patrol (CBP). Well, a subcontractor of theirs anyway. CBP just announced that one of its subcontractors suffered a cyber breach. Unauthorized data access is typical in a breach, and this is no exception. CBP acknowledged there was unauthorized access to license plate images and public traveler images in the subcontractor’s possession. What makes this incident different is that in addition to the main breach, the subcontractor was not authorized to have this data on its network. The data shouldn’t have been there to begin with.
This latest CBP breach is another illustration of a common characteristic which many breaches share. Breaches often don’t originate within the main corporate (data owner) network. They start with weaker partner organizations first and then spread from there to various degrees.
No longer can you think of data as being something which is created and stays in a defined place. Data and metadata get created and often travel to many destinations as they are processed and used. Securing data requires that you understand the lifecycle of the data you are responsible for, where it goes and how it is used, and what controls are in place to protect it. How do you go about doing this?
First Up – Data Inventory
With today’s movement to edge computing, cloud computing, and mobile computing, it is almost impossible to obtain a 100% accurate, real-time understanding of your data. That doesn’t mean, however, that it isn’t critically important to have defined an approach to how you’re going to protect your data.
Protecting those data types you determine to be sensitive such as intellectual property, PII, strategic plans, etc. is where you get the most benefit from your time. While controls can protect both sensitive and non-sensitive information at the same time, it is far more important to ensure the data you care most about is protects to the levels you expect.
What data do you care about? If you haven’t gone through the exercise to examine your different data types, start there. Almost all organizations have some level of PII as it is necessary to maintain employees to some degree. Figure out what data types are critical in keeping your competitive advantage and maintaining compliance.
Next Up – Location, Location, Location
All security these days relies to some degree on the security of others. Once you’ve identified what your sensitive data types are, do you know which parts of your data inventory are stored or processed outside of your network? Can you document, by organization name, those entities connected to your network? Just as important as knowing your security is knowing to what degree the security of your data is in the hands of others.
A persistent or automated network connection between your organization and another’s is called an interconnection. These are often your highest areas of risk when it comes to partners because they can provide a pathway for attackers to follow from a lesser secure partner into your network. Take time to learn where all of these are and how they are secured. Be sure that new ones cannot be stood up without approvals and review of the security controls. Compromise of interconnections is the most common way you can get breached because these connections aren’t scrutinized nearly as much as those directly to the Internet.
Compromise of your information doesn’t have to be the result of a breach of your network. As in the case of the CBP breach, another organization can have your data (with or without permission). If that organization doesn’t protect the data properly, it can get compromised. It often doesn’t matter who is at fault or how it happened, but if your data is compromised, it is compromised. Make sure there is language in your contracts, which requires the right level of continuous security controls to protect any of your information a partner may have. If any of your sensitive data is handled by someone else, it’s worth your time to figure this out.
Key Takeaways for Businesses
A central aspect of your data security approach should include an understanding of what kinds of data you have, where it’s located, and how it’s protected. Since time and resources are always a factor, determine what data you care about the most and start there. Make sure that you have processes in place to maintain this understanding once you’ve developed it. Maintaining your understanding is especially important with business partners because you don’t have direct control over their networks. Take time to understand how they may be protecting your data (or not), and take steps to get confidence that your data is protected to your expectations. If your data is worth protecting, odds are there are people out there who are working on getting it.