Don’t Labour the (data)point – why third-party data partners are still your problem

As highlighted by the recent ransomware attack on Superior Plus, just the latest in a long line of high-profile data breaches, anyone can suffer a data breach from a myriad of different avenues, ranging from insider threats through to weak points in their internal systems and servers

GoDaddy’s breach in November was enabled by the astonishingly simple angle of an unsecure and unprotected admin password. This incident affected 1.2m users and gave hackers access to customer email addresses, providing them with the tools needed to conduct phishing attempts with countless potential consequences. The costs aren’t yet measurable, but will be felt in more than just PR terms.

Yet, despite garnering most of the headlines, there were a couple of recent data breaches that should be considered more concerning to the average business, and may have slipped many people’s notice. The Labour Party breach, and one suffered by data management firm Stor-a-File, which impacted several of its private healthcare business customers, were significant because they are examples of where third-parties were responsible for the exposure of sensitive data.

This highlights the tricky challenge of third-party risk, which is likely to be near the top of most CEOs’ risk registers. Not just because of the exposure to risk itself, but also because it is difficult for an organisation to apply its own policies, procedures and controls to protecting data within a third-party environment. This makes it a problem of collaboration, cooperation and risk management as much as it is about technology deployment – which has often been the first port of call for a security issue.

The Labour Party left the exact details vague, but revealed that a cyber-attack suffered by a third party that handles its data ‘rendered’ a large amount of data ‘inaccessible’. For the likes of the Lister Fertility Clinic, one of the healthcare businesses affected by the Stor-a-File attack, its medical records were subjected to a ransomware attack after hackers gained access to: consent forms, medical history and test results, recommendations for treatment, and fertility treatment records.

It’s increasingly common, as the volume of data increases, for businesses to outsource the management of such a vital resource to a third-party. However, when outsourcing the care of sensitive information, businesses must ensure any third parties are appropriately secure. This is because, whilst the third-party data company might be representing their client, the same way as children in uniform we were reminded we were ‘representing our school’, it’s ultimately the data owner who feels the brunt of any breach. And – harsh as it may sound – you don’t absolve yourself of responsibility by outsourcing protection to a guard dog. Both data controller and data processor or manager are jointly liable.

There’s no such thing as perfect security, however, the circumstances of the breach suggest that there were things the Labour Party should have done better, in terms of access management, data discovery, classification, compliance and retirement. In an ideal world everyone would have their own Security Operations Centre (SOC), but even for a small business this can cost hundreds of thousands of pounds per year. So, how do you get around the issue of security without the budget to build a SOC? Managed security services such as managed detection and response (MDR) can enable businesses to outsource and automate the complex, but also benefit from round the clock monitoring and data breach incident response as and when a data breach appears to be occurring.

With the advent of mass home working and insecure devices suffering from inconsistent updates, always-on threat detection is no longer a luxury, it’s a must-have. A managed security services provider (MSSP) can never hope to understand your business as well as you, so a culture of collaboration and access to all systems is a vital starter for a meaningful and efficient threat defence. There are flexible, analyst-recommended options out there for businesses of any size, to help develop robust and reliable data protection.

The financial risk of not safeguarding data heavily outweighs the cost of doing so in a world now buttressed by the GDPR. Under the Mandatory Breach Notification requirement of the GDPR, within 72 hours of a breach of personal data, an organisation must have informed the Information Commissioners’ Office – the UK’s data protection authority – and would likely be well-advised to inform the individuals who have been affected by the breach. The organisation must also be ready to defend its approach to data protection in court. Otherwise, the resulting fine can be as much as four per cent of global revenue or €20 million, whichever is higher.

Given the financial and reputational risks of a data breach, choosing a third-party data partner should be a carefully considered decision. Businesses need to ensure any third party they trust with one of their most valuable assets is taking every step to be as secure as possible, such as enlisting the support of a SOC or MDR services from an MSSP that can provide constant security and remediation. As we wrap up the year, those of us responsible for data and cybersecurity should ‘zero-base’ our data spend, take a proper look at data lifecycle management (i.e., what steps you plan to take and why) and work to ensure that – in 2022 – the devil isn’t in the data.

About the Author

Dominic Trott is UK product manager at Orange Cyberdefense. Orange Cyberdefense is the expert cybersecurity business unit of the Orange Group. As Europe’s go-to security provider, we strive to build a safer digital society.

Featured image: ©Framestock