Instant messaging and social media platform Discord disclosed a data breach last week, after their third party support agent got hacked. The breach had compromised users’ email addresses, the messages exchanged with the support team on the platform, and any attachments that were part of the conversations. Discord immediately deactivated the compromised account upon detection and sent out letters to its affected users, and cautioned them to look out for any suspicious activities in their account.
Companies need to take a top-down approach to protecting their data. It starts with policy and standards that classify all types of data the company would expect to create, collect, store, or generate. Once these data classification standards are in place, companies then need to catalog where all sensitive or privacy data is collected, handled, or stored into an inventory. You can’t protect something if you don’t know where or what it is.
Why third-party partners pose a severe threat
Third-party partners add an additional layer of complexity because often companies have to grant access to data that should be protected by third-party partners who have different levels of security around data access and protection, security policies, and exposure. When providing access to a third-party, their attack surface becomes your attack surface.
Protecting client data is very important because this type of sensitive information getting leaked or falling into the wrong hands often leads to reputation risk for the firm, whether its sensitive Personal Identifiable Information (PII) or credit card transactional data protection required by the Payment Card Industry Data Security Standard (PCI DSS) standard.
How can firms protect against third-party risk
Firms have a responsibility not only to shareholders but also clients to protect this data, as very often the lack of action can not only lead to federal fines but also class action lawsuits. After the privacy data inventory is built and maintained, controls around protecting data while it is at rest, in transmission, and its secure disposal can be applied across the environment.
These can include encryption for confidentiality while its stored or transmitted, identity access management controls to prevent unauthorised parties from accessing it, and segmentation controls to limit reach if an attacker gains access to a portion of the internal infrastructure.
Never underestimate the people problem and ensure that admins, managers, and operators are all given security awareness training to ensure that they don’t engage in risky behaviour like leaving laptops with this data in cars, opening malware, or other unsafe behaviours.
Jamie Boote is the Associate Principal Consultant for Synopsys Software Integrity Group.