Category Archives: Insider Threat

Insider Threat and 3rd Party Liability

PageUp and the 3rd Party Liability Problem

3rd Party Liabilities

 

The tech world was thrown into frenzy over the recent hack of international HR service provider PageUp.

In late June, chief executives reported "unusual activity" in its IT infrastructure.  An investigation was launched and emergency notifications were distributed to PageUp’s broad client base.

The industry quickly understood: the implications of this hack were potentially devastating.

PageUp specializes in storing personal details of workforce personnel.   The company boasts two million active users across 190 countries.   All of this data was now suspected of being compromised.

The most recent news on the PageUp damage report was the leaked data of the UK food and hospitality giant Whitbread.   The hotel and coffee shop operator acknowledged that some current and prospective employees’ data may have been compromised during the PageUp hack.  Whitbread sent a message to individuals potentially affected stating that personal detail collected during recruitment processes “may have been accessed and could potentially be used for identity theft.”

Whitbread has reportedly suspended its use of PageUp’s services.

 

The Third Party Liability

The PageUp breach and its subsequent fallout highlight the ever present--and increasingly risky--threat to data posed by third party outsourcing.

 

Third party contractors are extremely attractive targets for cyber criminals.   As one industry leader put it: “information like dates of birth and even maiden names […] gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft.”

 

The risk of third party vendors is especially true in the era of heightened compliance demands set by current data regulations.   Laws like the EU GDPR put all the responsibility on companies when it comes to who they trust to handle their data.   In the medical industry,  HIPAA requirements also extend to any outside service provider dealing with personal data of patients.

 

Handle on the Data

 

Enterprises need to take control of their sensitive data, whether it is on their own networks, or being managed via outsourcing.

This means companies need to vet their digital-service supply chains more seriously.  Managers must get clear answers from service providers on very important questions:

  1. What are the security standards for personnel data?
  2. How up to date are the company’s data loss protection tools?
  3. How does the contractor deal with regulation compliance?

Ensuring the tight standards of contractors is the only way for companies to safely employ third parties to handle their most sensitive data.

 

A Zero Trust Approach towards Data Protection

Using a Zero Trust Approach towards Data Protection and Data Exfiltration Prevention

 

What is Zero Trust Security?

 

Face it, traditional network perimeter security (firewalls, IDS, and the like) have failed.  Add into the mix the growth of cloud services (both sanctioned and unsanctioned) and you have a big problem.  Zero Trust security is built on the premise that neither users  nor devices can be trusted, one must then work with the belief that there are insiders looking to ex-filtrate your data.   Therefore, one must put controls around the the data in order to prevent a breach.

Using a Zero Trust Approach towards Data Protection and Data Exfiltration Prevention

Steps to follow:

  1. Understand what data you have
  2. Define and place data protection controls around that data
  3. Continuously monitor and protect

What are the best solutions to achieve zero trust data protection?  

An enterprise next generation DLP solution is the best solution in order to prevent data exfiltration from the inside out.  Here's a few best practices for defensive controls against insider and outsider threats

  1. Continuous, accurate Discovery and identification of Sensitive Data
  2. Continuous Classification of Sensitive Data
  3. Continuous Monitoring of all channels / ports & endpoints with the ability to accurately prevent the exfiltration of sensitive data
  4. Encrypt data based on policy - blanket encryption protects the hacker
  5. Continuous employee and 3rd party training including business associates
With broad coverage for both on premises and the cloud, GTB Technologies Enterprise Data Protection that Works platform incorporates all these best practices for complete insider threat protection.  Try it out