Introduction: the risk is real and rising
Year on year, the volume of customer records exposed by data breaches is climbing fast. The number of 3rd party breaches is also rising rapidly.
These facts should concern any enterprise using customer data, especially those who run marketing and promotional campaigns delivered via local teams and/or agency partners.
GDPR has changed the world of data management. The increasing adoption of cloud technologies is increasing the risk to companies. Now, the impact of COVID-19 on working practices has amplified the danger.
This report is timely reading for any organisation keen to mitigate security risk in this unexpected and unprecedented year.
It provides you with an overview of the current landscape in data security. It then highlights some of the key risks involving cloud solutions and the use of 3rd party vendors, including the additional complications created by Covid-19.
In the final section we look at best practice approaches to keeping data safe, and share examples of companies who are getting it right.
Much of the world has experienced some form of lockdown. For hackers and bad actors, this has presented an opportunity. Now, more than ever, it is vital to assess the risks to your business and take pre-emptive action to counter them.
- Data breaches: in figures
- Data Breaches: the causes
- 6 recent major breaches
- Data breaches: a closer look at 3rd party vendors
- The extra challenges of COVID-19
- Data security: current blind spots
- Best Practice Solutions
- Real World Best Practice
- Key Takeaways
Data Breaches: in figures
Total data breaches (RBS)
1%: rise in annual data breaches
15.1 billion: records exposed in 2019
284%: rise in annual records exposed
3rd party data breaches (RBS)
35%: increase in 2 years
1.7 billion: records exposed in 2018
4.8 billion: records exposed in 2019
273%: rise in annual records exposed
To understand the scale of the data security problems, it’s important to look at the latest annual figures for data breaches. They don’t make for pretty reading.
The total number of breaches only showed a modest increase of only 1% last year. Yet, an incredible 15.1 billion records were exposed in publicly disclosed data breaches in 2019 – a rise of 284%. In cases relating to 3rd party vendors, the number of breaches has shown a much faster recent rise. The number of records exposed has also climbed at a massive rate. On average, 13 million records were exposed in each third-party breach in 2019, making it easily the worst year on record.
The number of breaches already reported in 2020 indicates that these figures will continue growing at a worrying rate.
Source: 2019 Year End Data Breach Report, Risk Based Securities
Discovery and costs
£2.7 million: average cost of a data breach (IBM)
197 days: average time to discover (IBM)
69 days: additional time to contain a breach (IBM)
According to a recent IBM survey, there are substantial costs to bear from data breaches – the cost is compounded by the time it takes to discover and contain breaches. The figure of £2.7 million only relates to direct costs in terms of fines and compensation. The reputational harm can be incalculable; rebuilding customers trust is a difficult undertaking.
Source: Cost of a Data Breach Report 2019: IBM Security
Data breaches: the causes
5200: 2019 data breaches from hacking
343: 2019 data breaches from web breaches
1.5 billion: records exposed by hacking
13.6 billion: records exposed by web breaches
These are key stats to consider. The breaches involving external hackers, malicious insiders, and from accidents and negligence far outweighed those involving web breaches. Yet hacking exposed only about 1.5 billion records. Whereas nearly 13.6 billion records arose from just 343 Web breaches.
Four web breaches alone accounted for rough 8 billion of the exposed records. All four breaches resulted from data being put into open, misconfigured databases. These were then made publicly accessible over the Internet. Excluding these data breaches, the total number of records exposed last year would still have been higher than the number in 2018, but by a relatively small 1.3 billion records.
It was misconfigured services and failure to follow basic hardening practices that resulted in a far greater number of exposed records.
The key cause of data breaches were open and misconfigured databases that were publicly accessible to anyone motivated to seek them out.
What we are seeing is an increase in breaches involving cloud databases and services, often due to the poor security hygiene of customers. Cloud providers usually offer the necessary control to keep data secure but customers don’t always use them.
The issue particularly affects inexperienced cloud users. They may remove protections when they have trouble accessing the data from applications. They are also less likely to follow best practice such as, scanning for misconfigurations.
Source: 2019 Year End Data Breach Report, Risk Based Securities
6 recent major breaches
April 2019 Facebook
A digital media company operating called Cultura Colectiva exposed over 540 million records from Facebook users on an improperly secured AWS server.
May 2019 Instagram
An AWS database with almost 50 million records from Instagram users was exposed. The database appears to be owned by Mumbai-based Chtrbox, a provider of an “influencer marketing tool”.
July 2019 Capital One
A hacker used a Server-Side Request Forgery attack to steal over 80,000 account numbers, 140,000 Social Security numbers and 1 million Canadian Social Insurance Numbers.
March 2020 Virgin Media
The details of almost a million customers were compromised after a marketing database was left open for 10 months.
March 2020 Tesco
Tesco was forced to reissue 600,000 Clubcard loyalty cards after hackers accessed accounts to spend points and vouchers.
March 2020 T Mobile
In the USA, T Mobile notified an unidentified number of customers of a breach after identifying a malicious attack against its email vendor.
Data breaches: a closer look at 3rd party vendors
44%: of firms had experienced a significant, business altering data breach caused by a vendor.
15%: of firms reported that their vendor notified them when a breach occurred.
The alarming rise in 3rd party data breaches is especially relevant to enterprises with regional or global supplier and partner networks.
Organisations of all sizes are increasingly relying upon software from third-parties to run their business, usually cloud based software.
Payroll, customer relationship management, and email marketing solutions are common products that are easily available without requiring in-house development. This means more data entering third-party applications, which creates more risk.
An interesting survey commissioned by eSentire in 2019 investigated the key concerns of 600 IT and security decision-makers around their supply chain, and the policies or procedures used to mitigate identified vendor risks.
The two stats above illustrate how common 3rd party breaches are and highlight another issue – how forthcoming vendors are about data breaches.
The study also showed that while approximately 60 percent of organizations have some formal third-party policies, there is significant variation in their detail. Those that had experienced breaches reported disrupted operations (27 percent), increased operational complexity and cost (52 percent), reputational damage (19 percent) and financial losses and penalties (26 percent).
In third-party breaches, companies should not underestimate the additional costs beyond the usual financial, regulatory, and reputational damage. In combination, these factors can make third-party breaches far more costly that internal ones.
You are relying on the vendor and their disaster plan if things go wrong. You have no control over it. Plus, if the breach goes wider than your data, your issues may not be a priority for them to deal with, however important it is to you.
In the case of an SME 3rd party vendor, they could even go out of business if the damage of data breach is too much for them. This can cause further data security issues, and may hinder the delivery of business strategy.
Source: 2019 Data Security Survey eSentire
The extra challenges of COVID-19
April 2020 Zoom
Around April 1st, the cyber-intelligence company Cybel discovered over 530,000 Zoom accounts being offered on hacker forums. Some were being offered for under one US cent apiece. Others were given away for free. Cybel purchased the majority for about US$0.002, in order to warn clients of potential breaches. The exposed accounts contained victims’ email addresses, passwords, personal meeting URLs and their HostKeys. Accounts belonging to financial institutions, banks, colleges and others were also found in the list.
This instance of a hack of Zoom is the perfect illustration of the impact on COVID-19 on data security. The world has been turned upside down. Business practices have changed overnight as remote working becomes the norm. Hackers have been emboldened. The challenges involved affect both enterprises and third party vendors. These are key issues in play.
- Far more ‘attack surfaces’
Huge numbers of employees have been working from home. In addition, some companies are leaning on more outside contractors and vendors to help fill the gaps in workforces created by the coronavirus and its effects. Your vulnerability can now be spread over hundreds or thousands of employees’ and vendors’ home networks.
- Overstretched IT security
Hackers are likely taking advantage of overtaxed IT/security staff (many will be focused on supporting VPNs, video conferencing, and other technology home workers). Capacity may also be affected by people off work with illness or by furloughing and redundancies.
- Insider revenge
Employees or contractors who are made redundant due to cost-cutting may turn to malicious activities. Sometimes this is out of spite. Or they may be desperate to make money. Logins, especially privileged credentials, can be sold on the black market/dark web.
Data Security: current blind spots
So what are the major factors behind data protection breaches? And what creates problems with identifying and containing them? These are some of the key blind spots affecting both companies and their network of 3rd part vendors.
Multi-cloud purchasing: by procuring cloud environments from numerous providers, businesses face the problem of security models and controls varying across providers. In some cases, they are totally incompatible.
Business-Managed IT: Increasingly, executives and functions are procuring and managing IT services without sufficient involvement of collaboration the ICT or cybersecurity departments. Organisations end up with different silos of cloud technology that creates issues with oversight and management.
Cloud Misconfiguration: As we saw at the earlier in this report, the misconfiguration of Internet-as-a-service (IaaS) and cloud data stores has been the leading cause of some of the most damaging cloud breaches and data exposures. The key issues with misconfiguration are:
- No access restrictions: there are regular breaches from unsecured AWS S3 storage buckets
- Access overentitlement: user access is often not restricted to permitted applications and data
- Poor data protection: misconfiguration can lead to personal information being uploaded to the cloud in plain-text form.
- Weak audit processes: without regular audits of configurations, hackers can identify and explore holes in defences.
- Minimal logging and monitoring – timely checking of data and access logs is vital to identify and flag security related events
Container Orchestration: Docker has driven the increasing uptake of container technologies in recent years. Using an application container provides some extra layers of protections compared to virtual machines (VMs) and physical servers. However, they don’t provide enhanced security protections at runtime. Open source platforms such as Kubernetes are introducing new classes of misconfigurations and vulnerabilities to cloud environments. Security experts are struggling to keep up.
Dark Data: Many organisations or their agencies/partners are holding unclassified and unmanaged data they may not even know about. It’s hard to protect that.
Forensics: When enterprises and their vendor networks use different cloud resources it can be difficult or impossible to get the right information for forensic investigations.
Best Practice Solutions
Data breaches do not have to happen if the right policies and processes are followed – and if technology is properly deployed. Here are recommended steps to follow, many endorsed and used by the world’s leading companies in their own security and their use of 3rd party vendors. There is no one size fits all solution to data security, but the lessons here will be valuable to any enterprise business.
- Multifactor Authentication
Multifactor authentication (MFA) involves securing access to your cloud with a combination of identifying measures. For example, in addition to entering a password, people may also need to input a code sent to their phone.
Microsoft’s internal data shows that MFA stops 99.9% of automated attacks on accounts. Consider implementing MFA on cloud-based accounts that hold client information. Doing it is a simple but effective step in boosting security.
Always choose cloud providers that automatically encrypt any information uploaded. You may also choose to encrypt customer data at your end through 3rd third-party encryption tools. By applying encryption and password protection, you can make it harder for bad actors to use any information that is exposed.
- Retain centralised control of your customer data
One of the key risk factors for major enterprises is the need to share customer data with local teams and agencies/vendors. By using a specialist technology platform, companies can keep central oversight and control of the customer data.
By retaining centralised control, you also make 3rd party vendor risk assessment and management simpler and easier. A technology solution, such as Promotigo for promotional data, will ensure compliance with GDPR and other global privacy regulations. Crucially, data encryption and security are built in. Wherever in the world the data is used, the same protection applies. The risk of 3rd party breaches is minimised.
- Update, or introduce, a 3rd party risk management programme
A robust vendor risk management programme is the best protection against 3rd party risk. Strong review and audit processes, backed up by technology, can provide effective screening and due diligence. You gain a better understanding of 3rd parties, bolster data security and catch any vendor-related problems before they become data breaches.
Leading organizations stratify 3rd parties into risk categories based on their offered product or service, as well as the third-party’s location, and countries of operation. Then they then define screening and due-diligence process based on the risk categories.
As part of this program 3rd party vendors should certainly be expected to complete a questionnaire and produce evidence of compliance like a SOC 2 or an ISO 27001 certification. They should also be prepared to open themselves to a fuller assessment of their data security measures.
- Update your data map to include third-party vendors.
Producing a map provides a clear view of what data your vendors can access and how they are using it. This will inform what compliance information you will need from them.
- Use a framework for assessing third-party risk.
By establishing a third-party risk management framework, you give your organisation shared standards for decision-making. This minimises the time and effort involved in managing risk. It makes sense to base your program on respected industry standards. Many organisations draw on vendor assessment programs from enterprises like Microsoft or Adobe (see case studies below). Adobe’s Vendor Assessment Program whitepaper outlines the types of security controls they assess for vendor that use company data.
- Choose the right controls
Leading firms feature controls like these within their vendor assessments.
- Assertion of Security Practices: Review of security certification attestation reports (SOC 2 Type II, ISO 27001) and internal security policies and standards
- User authentication: Password policies, access control processes, and support of multi-factor authentication
- Logging and audit: Details about system/app/network logs and retention periods
- Data Centre Security: Physical security controls in locations where company data is hosted
- Vulnerability and Patch Management: Cadence of external/internal vulnerability assessments and pen tests as well as timelines for vulnerability remediations
- End-point protection: Policies that cover end-point security
- Data Encryption: Encryption of data in rest and transit
- Include 4th Parties
You need to have clarity of whether any vendor services are sub-contracted to a 4th party. Vendors should be contractually bound to get approval on any fourth-party involvement. You can also include 4th parties are due diligence and risk management processes.
- Evaluate program effectiveness
Set out measures from the start and then evaluate the program at regular intervals. You can assess if compliance requirements are being met and if potential risks are being identified and mitigated.
Real world best practice
There is no one size fits all approach to data security. However, there are important lessons to learn from organisations that are ahead of the game on protecting data – internally and with 3rd party vendors.
Microsoft has created its own Supplier Privacy & Assurance Standards to instruct their suppliers on data privacy and protection and ensure their suppliers are compliant with those requirements. As the Microsoft website states:
SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.
Adobe uses a vendor risk assessment programme called Guardrails. It includes a set of requirements for 3rd party vendors if they collect, store, transmit, process, or dispose of sensitive data. The programme evaluates a vendor’s compliance to Adobe’s Vendor Information Security Standard. This provides a risk-based review of the vendor’s security practices. Adobe employees can then make fact-based decisions on working the vendor.
The right partners help enterprises stay safe.
“Data security is not something a company can do once and forget. Effective data security needs constant effort at every level of an organisation. Behaviours need to be changed and existing practices need to be challenged. The burden on large organisations to understand their data estate and who has access to that data is significant and costly.
Solutions that help to automate the monitoring and processing of customer data are invaluable in an increasingly distributed ecosystem. The right choice of partner when it comes to data collection and control is a key factor to that success; at Promotigo, we work hand-in-hand with you to support your responsibility to each and every customer to ensure the protection of their data”.
Steve Irons, Promotigo MD & CTO
- The number of record breaches and volume of records exposed continue to rise.
- The rise in 3rd party breaches is significant.
- The adoption of cloud-based technologies is a key factor in the rise in breaches. Open and misconfigured databases are the major cause.
- COVID-19 has increased the risk of breaches.
- Multifactor Authentication and Encryption are both essential to security.
- Specialist software can give you centralised control of customer data used by 3rd parties.
- Your vendors should have affiliations to privacy and data security organisations and certifications with industry-recognized privacy and security standards organisations
- Your vendors should have ISO certifications to demonstrate their compliance with a set of clear data protection and privacy protections.
- A robust 3rd party vendor risk management programme is your best defence against data breaches.
Promotigo is the global platform for enterprises to deliver B2C promotional marketing and customer engagement programs at scale.
Do you have a question?
If you have any questions relating to customer data security or Promotigo’s global B2C platform, get in touch to find out how we can help you deliver better and safer promotions.