9 May 2012

CLOSE ENCOUNTERS OF THE THIRD (PARTY) KIND...

Google
Phew... The last month was absolutely hectic, with all those conferences falling within the same short period of time! With all that, I was privileged enough to have been asked to speak at both Internet World and Infosecurity Europe. Two very different experiences... Whilst it is expected to be talking about security at an infosec conference, it is always welcome to be asked to present about security matters at an event with a different focus - in this instance, everything digital... (see my previous post on the subject). It was nevertheless surprising, walking the show floor at Internet World, talking to vendors and poring over the agendas in the various theatres, how little security featured. With everything about the show related to "cyber", not many had made the obvious leap to "cybercrime"... So, on the way to our Devil's Tower, our quest is still to find our curwen hand signs to communicate with the third (party) kind...

Let's not forget: the excellent DataLossDB.org keeps highlighting that 100% of breaches involve third parties... This year, the trend is even more worrying as 2012 is already showing an increase of 58% in the number of data breaches compared to the same period last year. So, if the third parties themselves, on the main, have not realised how important security is to their business, what chance do their customers - individuals and businesses alike - have? 
 

One little test...
This is easily verified, and as I will not point the finger at anyone, just randomly pick a web host, shopping cart, CRM solution or shopping cart an look at their product brochure. Where and how does security feature? If it features, is there enough detail (e.g. accreditations you recognise - and I don't mean self-assessment... or a specific section related to security)? When faced with a purchasing decision, do you know where to turn? I suspect not...
I started discussing this topic in an earlier post, and this eventually led to further posts on the security implications of cloud computing (part 1 and part 2), you may also find these of interest. The angle I'd like to explore in this post is how we can better reach out to the third parties themselves...
 

The differentiation...
There are numerous third parties and cloud providers around. A few have already achieved a dominant position, but this recent article highlighted that "others have opportunities to get into the act by offering more security and protection". So here you are, for third parties, security can be a unique selling proposition, and some already use this to great advantage.

In the payments world (I know a bit about that...), it used to be a simple model, where you had a card holder, using a card issued by an issuing bank, purchasing goods at a merchant who processes the payment via an acquiring bank who bills and settles via the card schemes who link back to the issuing bank, and hey presto, goods are purchased, money changes hands and all is well... In those days, the third parties were easy to recognise as they were essentially payment service providers directly involved with the business of processing payments. With the rise of e-commerce, mobile services and cloud computing, the model is now far more complex:


See what I mean, everything in amber above is in scope...  If we stop for a minute and consider that in 2011:
  • 91% breaches occurred where the assets were owned by the breached entity
  • 46% breaches occured where the assets were managed by a third party
  • 23% breaches occured where the assets were hosted by a third party
(source Verizon DBIR 2012)

So, if you are one of the organisations providing services in the amber boxes (e.g. web hosts, digital agencies), you are about to be under a lot of pressure (and not just from the new EU data privacy laws)...

And if you are in any doubt, see this...

If you are a merchant and you use those services, make sure they are listed on the following lists as a first step in assessing the security posture of these suppliers:


If you are not a merchant and you use third parties, it is still a good idea to check whether or not these are listed above. After all, payment security is information security by another name..

Until next time...