Source – The Tampa Bay Technology Forum
With the millions of Apple IDs stolen earlier this month and the recent Go Daddy DNS outage, many organizations have started to reassess their own security and resiliency plans. Even if you were not one of the millions of people or companies directly affected from these incidents, there is no better time to reflect on the lessons learned and start implementing leading practices. The following are a few lessons we believe everyone should consider when it comes to outsourcing and data privacy.
Lesson 1 – During an Incident, Be Weary of the Hyper-Reporting
The Twittersphere and news media are hardly reliable sources for technology topics on good days, let alone when something bad happens. With Apple, it was reported that the missing data was stolen from an FBI laptop, only to find out later that they were actually taken from a Florida-based publishing firm. In the case of Go Daddy, early reports led us to believe that hacktivists caused the DNS failure; however, Go Daddy firmly refutes that any external influences caused the failure. So during an incident, always apply a healthy dose of skepticism to reporting.
Lesson 2 – Sweat the Small Stuff
It sounds obvious, but few companies have a bona fide incident management plan. That’s unfortunate because having a plan in place can substantially mitigate the potential impact of an incident. We witnessed a great example of why this is important last week when millions of websites relying on Go Daddy’s free DNS services failed. With widespread adoption of the Internet approaching the 20 year mark, a substantial portion of our IT community did not consider DNS failure a risk worth planning for prior to the Go Daddy failure. We can assume that points of failure previously thought to be remote possibilities will get much more attention going forward.
Lesson 3 – Know Your Partners
A message we tend to often hear is that a company may outsource a service, but it cannot relinquish the accountability for the potential risks to itself, employees, customers, and other stakeholders. This then leads us to the realization that company information may only be as secure or redundant as your vendors or business partners state so. An effective due diligence program is needed to monitor your third-party relationships. Companies can start with reviewing assurance reports (e.g SSAE 16 / SOC 1 or SOC 2 reports, ISO certification, etc.) and / or by conducting the appropriate first hand inquiries and inspections. These reviews will help provide comfort over the service organization’s internal controls.
Lesson 4 – Don’t Allow Vendors to be Single Points of Failure
While availability issues are more common, what if the company went out of business? If a company as large as Go Daddy can experience wide-spread problems, you should not think others are unsusceptible. If your service involves data being stored with the third-party, maintaining an independent backup is critical. Backup plans also include having access to other providers which may be able to step in and provide the services you need. Portability is supposed to be one of key selling points of cloud computing. Ultimately organizations should have the tools to either backup data or transition services to another provider in an emergency.
Lesson 5 – Integrate into Culture and Training
It might just seem like an additional item to add to the IT policy document or the growing list of mandatory training. However, you should encourage the significance of protecting non-public and critical data by provide data awareness training to your employees on a regular and consistent basis. As security and privacy audit professionals we default to look to technology or process-oriented solutions. However, what is clear is that the organizations that spend time undergoing training and awareness activities not only respond to incidents better, but they also better prevent them.