October is Cybersecurity Awareness Month, a collaborative effort between government agencies — specifically, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Crime Agency (NCA) — and private industry to generate greater awareness of cybersecurity threats both nationally and internationally.
This year’s campaign theme — “See Yourself in Cyber” — serves as a reminder that cybersecurity is more than just deploying the latest technologies to harden the network perimeter and protect the sensitive private data with which businesses are entrusted.
It’s not just about technology. It’s also about the many and various constituents that use technology to interact with a business. These range from the customer service representatives working on the front line to authenticate a customer’s identity to the growing constellation of third-party vendors and partners that every business relies upon to keep their operations running smoothly, whether they are payroll providers, IT consultants, or legal tech vendors who collaborate with corporate legal departments.
All of these third parties represent a potential point of vulnerability that could be exploited by a threat actor or even a trusted insider with an axe to grind. So what steps can you take to ensure that the third parties you work with can be trusted?
Assessing Third-Party Risk
Third-party risk refers to any type of risk introduced to an organization by the external parties within its ecosystem or supply chain. Third-party risk management and third party risk mitigation is critical for any organization to monitor threats.
Threat actors have learned that it’s much easier to exploit weaknesses throughout the supply chain by targeting third-party vendors, who are typically easier to infiltrate than organizations with more sophisticated cybersecurity controls.
By successfully compromising a “trusted” vendor, an attacker can also more easily establish persistence inside the network, quietly conducting reconnaissance in order to escalate privileges so they can target a company’s most valuable asset: their data.
Third-party risk management is also increasingly a major factor in one of today’s most insidious threats: ransomware. A new breed of ransomware operators has begun to employ some novel tactics including “double extortion,” where they seek not only to encrypt a victim’s data but also threaten to publish sensitive data as a means to apply leverage and accelerate payment. These threat actors also understand that, because a raft of new data privacy regulations such as GDPR and CCPA require that companies safeguard sensitive customer data, they are subject to steep financial penalties – not to mention the reputational damage that often accompanies these data breaches or disclosures. This may provide an added incentive for companies to comply with operators’ demands for payment.
According to the 2021 CrowdStrike Global Security Attitude Survey, 84% of decision-makers believe that software supply chain attacks could become one of the biggest cyber threats to organizations like theirs within the next three years. Yet despite these pervasive fears, only 36% have vetted all new and existing suppliers for security purposes in the last 12 months.
With this in mind, there are some practical steps that organizations can take to ensure their data remains secure and in compliance with an evolving regulatory environment. In addition to incorporating security best practices – such as employing end-to-end encryption, mandating the use of multifactor authentication (MFA), and adopting zero trust network access – organizations should also look for ways to limit their data movement to keep their sensitive customer data secure.
Moving data is inherently risky — particularly when the data is from a client. With every movement of data, whether between hard drives or between public cloud services, there’s an opportunity for something to go amiss. There is a chance of data getting lost or stolen, ending up in the wrong hands, getting hacked by parties with malicious intent, or becoming compromised or corrupted. The fewer places or tools in which you’re keeping data, the less likely your data is to be compromised.
The way we see security, you can either “brush it on” after the fact or “bake it in” so it’s infused into your entire organization. At Casepoint, we’ve always embraced the latter approach and have worked hard to bake security into our legal discovery platform as well as the workflows and processes that support our customers’ success.
This baked-in approach to security also extends to how we help customers protect their data and effectively respond in the event of a breach. It’s also one of the reasons why we recommend that customers, regardless of the type of security controls they might have in place, define a comprehensive data protection policy (DPP).
A DPP refers to a security policy that focuses on standardizing the use, management, and monitoring of data and where data is being consumed, stored, and managed, both by the organization itself as well as any third parties that have access to that data. If your organization experiences a data breach or is subjected to compliance audits, having such a policy in place will provide an invaluable roadmap in formulating an appropriate response while assuring regulators that you have a defined policy in place.
Regulatory compliance is an important piece of any organization’s security puzzle, and the Casepoint legal discovery platform has been designed to ease compliance concerns. It not only offers tools for responding to a variety of data subject requests related to GDPR, CCPA, and other pending data privacy regulations, but can also help accelerate your response to a data breach.
Finally, Casepoint has established comprehensive security measures across all levels to ensure that all data, applications, and infrastructure remain fully protected and secure. Our baked-in approach to security is organized across these three pillars:
- Organizational Security
We believe security is the responsibility of each and every employee and work tirelessly to ensure that our employees are continuously trained and tested on security best practices.
- Architectural Security
In addition to employing military-grade data encryption, Casepoint also supports single sign-on using SAML protocol and offers multifactor authentication to all customer accounts.
- Operational Security
Our operational security controls include physical security controls to protect information assets in our office and advanced network security protocols such as IPS and application security measures such as release management processes to control the implementation of major changes and minimize the potential of introducing third-party vulnerabilities.
To learn more about how Casepoint ensures your data remains secure and helps organizations assess third party risk management platforms, visit our security page.