Companies share a lot of confidential data with third parties. Who is responsible for keeping that data secure? Is it the originating company or the third party? Or both?
This week American Express sent letters to card holders about a possible data breach. According to reports “an unauthorized person or group accessed the system of a third-party service provider prompting American Express to warn customers that card member information may have been compromised.” The company said, “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” So is American Express to blame for this incident or is the service provider to blame?
This breach is another example of a broken chain of custody with confidential data. American Express may have strong protections for its confidential data, but when it relinquishes control to another party that has weak controls, hackers know how to exploit the situation. This is the same issue I talked about last year on the weakest link in the supply chain.
Think about the vulnerability of your data within your supply chain. You may have the best security that money can buy, but once it leaves the confines of your environment, the information is out of your control. You have to rely on the security systems of your partners to protect your information. Unless you’ve done a security audit on those partners and are satisfied they will maintain your confidential data safely, you are vulnerable. Hackers prefer to target the weakest link in the chain and they know smaller providers of large companies are easier targets.
This is where persistent security comes into play. If you have strong encryption and permission controls on your confidential data, you can limit access to it regardless of where it is. One of our customers uses our applications to exchange PCI with a third party. The file can only be accessed a limited number of times on specific computers. After that, the file is useless. If someone tried to steal the file, they can’t read the data inside. The result is no data breach.
Ultimately American Express is responsible for its card holders data, regardless of where it is. You can best protect your confidential data throughout your supply chain by encrypting it and controlling its access at all times. That’s better than welding your broken chain.
Photo credit Brian Smithson
