A few weeks ago, Google’s employee details were leaked by a third party company. Although this was an innocent error, it’s worth considering how much worse it could so easily have been?
A few weeks, Google’s employee details were accidentally leaked by a third party company who provides benefits management services for them. Luckily, the person responsible at the benefits management company notified Google and no harm was done. At first glance, this looks like an innocent error that was dealt with speedily but it’s worth taking a moment to consider how much worse it could so easily have been – and frequently is – for people whose details inadvertently end up in the wrong hands.
This latest security breach comes as no real shock in light of the cyber-crime epidemic of recent years and the swift evolution of smarter, more damaging forms of hacking. Ginni Rometty, IBM Corp.’s Chairman, CEO and President, recently said that cyber-crime may be the greatest threat to every company in the world, and in 2015, British insurance company Lloyd’s estimated that cyber-attacks cost businesses as much as $400 billion a year. This slip-up is not something that anyone at Google or the culpable third party should really be patting backs or wiping brows over – WALLIX argues that in fact it highlights an important security vulnerability at the core of how businesses operate nowadays and speaks volumes about security systems and policies in place.
Working with third party companies and contractors is a fact of life. 81% of companies outsource part of their operations to an external service provider (according to PwC), and why not, when there are benefits to be gained in cost, agility and productivity? It carries immense risk however, and PwC recently noted that around 18% of major security breaches were attributed to an external service provider in 2015. There is an ever-growing list of examples of data breaches that can be traced to third-party suppliers, from the Target breach in 2013 to more recent cases such as insider trading by hacking newswire services, and fraudulent tax claims by compromising a third party-hosted US Internal Revenue Service website.
As the Google breach demonstrates, you can’t rely on the security of other parties, even long-standing colleagues you may trust. However, with the rise in cloud computing, companies need to be extra careful when working with other businesses and putting sensitive data at risk. According to a Booz Allen Hamilton report, the majority of third-party risk incidents at an organisation are likely to occur in an existing relationship. Typically, organisations select a supplier that is low-risk and put a lot of effort into establishing a relationship, but there is no provision for monitoring how or if that level of risk changes. Risk impact can be defined by a variety of metrics: loss of company value, loss of revenue, increased cost of capital, diminished brand equity and market share, higher insurance premiums and civil litigation from investors, shareholders, business partners and others, and low-risk suppliers can easily become high-risk over time. Poorly understood key risk indicators, difficulty in getting hold of relevant and timely information and poor relationship management, dedication and training mean that such supplier relationships are often under-managed.
Responsibility is key, because heads will roll within your business if something goes wrong. Businesses need to look at the bigger picture and at complete solutions like Wallix’s WAB Suite: in it’s basic form it protects access privileges and lets you control, monitor and record administrator sessions across multiple systems, so you always know who’s looking at and doing what. Google will no doubt face some serious questions but in reality, of the 4 in every 5 companies to whom this has/will happen, how many would have satisfactory answers to those burning questions?
Were the third party company’s security measures appropriately vetted? Clearly not in Google’s case, as well as many others. Security is rapidly evolving, with the majority of companies lagging behind thus far. And what about when those third parties use sub-contractors? You won’t meet or vet them so it’s completely out of your hands, yet it’s your business held responsible if customer data is being leaked. What measures were in place to prevent this breach from happening? Not enough, evidently. Was the data protected with the correct access rights? Presumably not. Security is something you assume your third parties will have a best handle on but in light of constant scandalous hacking headlines, businesses need to stop making such assumptions.
These are pretty basic failings, and so-called accidental breaches involving third parties clearly deserve a level of scrutiny that we are more used to seeing applied to big name hacks. This Google breach should be seen as a valuable lesson rather than a lucky escape. Companies need to start investing in comprehensive security solutions and paying attention to the whole of their operations, rather than just investing in another firewall. No company is perfect, and no one can be on the ball every second of every day but now, even human error is something that you can and should be protecting yourself and your data against with software like Wallix’s. With systems like the WAB suite, you are afforded complete control, visibility and reassurance, so what are you waiting for?
The Wallix AdminBastion (WAB) Suite has a simple architecture designed for pervasive, sustainable deployment. It creates a single gateway with single sign-on for access by system admins.
WAB’s agent-less architecture is lightweight, making the solution inexpensive and easy to deploy and adapt. The agent-less approach mitigates the risk that changes in protected systems will require extensive revamping of the PAM solution.
WAB has a simple architecture, but a sophisticated and rich feature set that can scale with even the largest organisations. WAB gives you the tools to make PAM an enduring, pervasive and consistent part of your security program.
Remember, the best PAM solution is the PAM solution everyone uses.
For more information about the Wallix AdminBastion, visit www.wallix.com.