Data privacy and protection are top concerns for IT professionals these days. In fact, a survey done earlier in 2019 showed that more than 60% said they were worried or very worried about cybersecurity. And they should be. Breaches are becoming more common and regulatory bodies – like those enforcing the General Data Protection Regulation (GDPR) – are starting to hand out significant fines (upwards of USD $230 million).
In such an environment, it’s critical that companies know what’s happening with their data and take all possible steps to keep it safe. Unfortunately, this isn’t always what happens when companies opt to work with grey market providers.
Yes. Your data is at risk when you work with a grey market provider.
What is a grey market provider?
Grey market providers are companies that sell software outside of legal distribution channels. Often, they take an open source system and “sell” this to unsuspecting businesses – either with or without modification. It is, of course, unethical that a grey market provider might charge a company for a freely available product. But that’s only a small part of the problem.
To meet the requirements of their customers, they take what begins as a safe solid open source system and start changing it.
Grey market providers distribute unreviewed code changes.
Frequently, grey market providers make their money by selling custom development work. To meet the requirements of their customers, they take what begins as a safe solid open source system and start changing it. As they do, they are compromising the integrity of the system. These companies are not experts in how the system works or its underlying architecture, so they may well change the system in ways that can leave it open to hackers and cybercriminals.
Grey market providers may access your data without your knowledge.
As you enter into an arrangement with a grey market provider, remember that they are the only ones who have a full understanding of what’s happening with your new system. They are the only ones who know how it has been changed and adapted. This means that, as the business owner, you simply do not know what is happening with the data in your system. It could be accessed at any time by the provider! And, even if gaining access to your data isn’t the provider’s underlying intention, you simply don’t know if the changes they’ve made to the system make it vulnerable to others who might want to gain access to your data.
Grey market providers may cause data loss.
Even if everything is going well while working with your grey market provider, the time will come when your system needs to be updated. Whether this is because of newly released security patches or because there’s simply a more exciting version available, you’ll want to upgrade. When that time comes, upgrade steps will rely on your system having a specific data structure and the right tables. If it does not, which is often the case after a grey market provider has modified the system, you either can’t upgrade (leaving your system vulnerable again) or you lose data in the process. In fact, we recently had one customer who faced losing 86% of their data!
This means that support and upgrades will go much more easily, and you will get more out of your system because they know the most optimal way to configure it.
What can I do to keep my data safe?
Ideally, you should seek out the official product manufacturer. This is really the only way to ensure that you are getting a product that is safe and secure for you and your customers. In addition to safety, you gain access to people who have significant expertise with the product: This means that support and upgrades will go much more easily, and you will get more out of your system because they know the most optimal way to configure it.
If you’re not working directly with a product manufacturer, be sure to ask your vendor detailed questions about the permission that they have to distribute the software and support expectations.
When you enter into a relationship with a grey market provider, it may seem more budget-friendly initially, but you are putting your data at risk when you make this choice. As we get ready to implement the General Data Protection Law (GDPL) here in Brazil, I’m concerned about companies that make this choice. They will face fines like those in the EU because they’ve opted to obtain software outside of legal distribution channels. Sometimes, the cheaper option today costs more in the long-run.