Organizations must take more responsibility for the security of third party providers that access their data, according to experts speaking during a webinar session organized by Atakama.
Moderating the discussion, Brian Herr, field CISO at Mainline Information Systems, firstly highlighted how organizations are becoming increasingly reliant on third parties, meaning growing numbers of entities are getting access to their confidential information. “Organizations are putting more data outside of their control,” he explained, adding that “the regulatory and legal landscape is trying to keep tabs on this and it’s changing the way we do business.”
The EU’s GDPR legislation is generally seen as the pioneer for data protection rules, with other countries such as the US starting to follow suit in terms of their own regulations. There are now some clarifications emerging in regard to third party data access from the GDPR, which are likely to have implications throughout the world. Patrick Burt, former NY regulator/privacy attorney at Philip Nizer, outlined that “there is more and more focus on third parties.” Under GDPR, organizations are given clear responsibilities to undergo risk assessments and other checks when handing over data to a third party.
Burt noted that in a number of recent cases in which fines were handed out by the UK’s Information Commissioner’s Office (ICO), including against BA, Marriott and Ticketmaster, it was argued that third parties were liable, “but in each case, the ICO found it was their responsibility – they were not holding those third parties responsible at all,” explained Burt. This was ultimately because of their failures to carry out due diligence.
Burt added that similar principles are in place in the California Consumer Privacy Act (CCPA).
Dimitri Nemirovsky, co-founder and COO at Atakama, concurred, stating that organizations are still ultimately in control of what happens to their data. In an increasingly digitized environment “I don’t think you can exist today without using a third party in some form or another,” he outlined. In this context, it is critical that companies find the right approach to ensuring the integrity of the data being entrusted to these third parties is maintained. Nemirovsky said that “it is really important that you vet those tools you are using and to do it in such a way where you are maintaining the performance that is expected of your workforce.”
Managing the distribution of encryption keys is particularly vital in achieving this, according to Nemirovsky. “It does boil down to an identity and access management issue,” he commented. This is because, if an authorized user’s credentials are compromised, all the data will be decrypted for the attacker.
Account compromise is therefore arguably the biggest security issue when it comes to third parties, as breaches can still be caused even after adequate risk assessments are carried out. “This is going to become a very big problem that the industry is going to have to solve,” said Herr. “Ultimately, it boils down to understanding and getting that encryption as close to the data usage as possible so that anything in the middle doesn’t really matter.”