Between the breakdown of the EU-US Privacy Shield and the concern about LGPD preparedness in Brazil, it’s evident that countries around the world — and as a result businesses — are taking a harder look at what data protection and privacy mean. This is a good thing as problems related to keeping data safe are only growing: Cyberattacks, data fraud and data theft were key concerns noted in the World Economic Forum’s assessment of this year’s top risks.
So, it’s up to businesses to go beyond paperwork and firewalls to evaluate the situations which might be putting their data at risk. Here are five areas of concern that are sometimes overlooked by companies.
1. Working with Grey Market Providers
Grey market providers offer solutions outside of legal distribution channels. Businesses turn to these solutions because they are often discounted. The trouble with such a provider, however, is that they are not actually the source code owner.
This leaves businesses open to two problems. First, a lack of product expertise by the grey market provider could result in configurations and customizations that leave data exposed. Second, because the product is being distributed outside of legal distribution channels, it is not being updated as necessary….which leads to point two.
Learn more about in our white paper.
Sometimes, as in the instance of working with a grey market provider, so many unexpected changes have been made to the underlying system framework that it's simply impossible for the update to occur or the patch to be installed.
2. Using Out-of-Date Products/Not Patching
Product updates and patches are often required to address security vulnerabilities. When these aren’t applied, backdoor access to data can be possible. In fact, according to a Tripwire study, IT security professionals claim that 27% of breaches are as a result of patches not being applied in a timely manner.
Sometimes, this simply happens as a result of lack of proper patch management. However, sometimes, as in the instance of working with a grey market provider, so many unexpected changes have been made to the underlying system framework that it’s simply impossible for the update to occur or the patch to be installed.
3. Not Sufficiently Vetting Vendor Relationships
It’s tempting to expect that everyone has the same interest in data protection that you and your team have, but if you operate under that assumption, you are putting your data at risk. Whether you’re working with consultants or service providers, you need to gain a good understanding of the measures that they have put in place to protect your data from misuse or a breach. Be sure you’re asking enough questions to gain a thorough understanding of their security practices and include security expectations directly in your contracts.
As a solution provider ourselves, OTRS Group operates in accordance with GDPR guidelines and is always happy to furnish necessary documentation to address security concerns: Your other vendors should be equally as responsive.
Help employees understand concepts like social engineering and phishing attacks. Make sure they know what to do if they encounter something suspicious.
4. Lacking Proper Employee Training
From creating weak passwords to not using secured networks, it’s sometimes your well-meaning employees who are the biggest concern. This is why proper awareness training must be conducted. Help employees understand concepts like social engineering and phishing attacks. Make sure they know what to do if they encounter something suspicious. And, particularly now while everyone is working from a home office, be sure that their personal networks are secured, and if possible, require the use of a VPN.
5. Not Having Clearly Defined Incident Response Processes
And, what happens if an incident does occur? Well, the longer the incident lasts, the more data is at risk. In an OTRS Group survey of 280 IT managers around the world, we asked what would best help them more adequately deal with breaches. 40% said that the number one thing that they needed was more clearly defined incident management processes.
Of course, there’s never a 100 percent certainty when it comes to managing the safety of your data, but there are safeguards you can put in place. First, look internally: invest in training, document incident response processes and automate these whenever possible. Second, examine your vendors: determine if they are compliant with data regulations, work exclusively with the actual software manufacturers, ensure you aren’t being misled by grey market providers. By paying attention to these key areas, your data will stay safer, and you’ll be less at risk for fines and the bad publicity that can often follow a breach.