Facebook is spending a lot of time in the news these days, and this month is no exception. But the story of its latest data leak should grab special attention as a cautionary tale for anyone whose business relies on third parties.
In early April, we learned that two of Facebook’s third-party app developers posted some 540 million user records in plain sight on Amazon cloud servers. The breach would be embarrassing in any case, but it merits an even bigger facepalm when we discover that one of the developers hadn’t been in business since 2014. If the 35,000 employees of the world’s largest social platform couldn’t stop a breach from an abandoned app, what does that say about everyone else’s level of preparedness?
We got part of the answer in last fall’s Ponemon Institute survey, entitled Data Risk in the Third-Party Ecosystem. The 1,000 respondents — all security and risk professionals — reported that they share confidential and sensitive information with an average of 583 third parties each. Yet only 34 percent keep a full inventory of these connections, a figure that drops to just 15 percent for Nth parties (the third parties’ own third parties). The likely reason? Barely a third of the study’s respondents believe they have the resources necessary to properly manage their relationships with these outside entities.
Every organization today should accept that cyberattacks are inevitable. But it doesn’t follow that these attacks must succeed. There are simple best practices that can protect your organization from the vast majority of cyberattacks:
- Evaluate Your Suppliers, Service Providers and Products.
Apart from vetting your third parties, you need to be assured that your third parties are doing their own vetting, as well. Anyone with access to your data, systems or facilities (and that can include janitors and HVAC suppliers) deserves your scrutiny.
- Build Vigilance Into Your Operations and Service-Level Agreements (SLAs).
Third-party agreements can’t succeed without some level of trust, but that trust should be backed up with regular security audits to verify that it’s still being earned. Additionally, you should employ the principle of least privilege, granting only those permissions that are necessary for people to do their jobs. And every SLA should be beefed up with penalties for vendors that fail to maintain their promised levels of security.
- Be Alert to the Dangers of Virtual Private Networks (VPNs).
More and more of your employees and suppliers are serving you remotely. Many organizations provide remote access to their systems through a VPN. But VPNs provide both a front door and a back door to your critical data and applications, making them irresistible to any would-be hacker. And, sorry, two-factor authentication won’t be enough to protect you. If you must use VPNs in your business, get a privileged access management solution to monitor and control everyone’s access.
- Don’t Put All Your Eggs in One Third-Party Basket.
Third-party suppliers follow a range of protocols for safeguarding customer data. By diversifying your company’s roster of providers, you can avoid having a single point of failure along your supply chain.
- Plan for the Realities of Human Nature.
The problem with complicated procedures and protocols is that they aren’t designed with human frailty in mind. People can be absent-minded or careless. When compliance becomes annoying, people might sidestep it. If someone’s motivation or sense of duty falters, however briefly, so too will your security.
This is where Tehama comes in. Tehama creates secure, cloud-based workspaces for IT service delivery and development. With Tehama, you can forget about the vulnerabilities of VPNs, shipped laptops and jump boxes. In just minutes, Tehama connects your teams and your vendors in clean end-user compute white rooms. With Tehama, access is controlled through one central management panel, and all activity is recorded. It is the simple, affordable and scalable way to secure your enterprise while maximizing the productivity of your teams and suppliers.