Encryption Ensures that Outsourcing Partnerships Don’t Put Data at Risk
by Trent Telford, CEO, Covata
Wednesday, November 04, 2015
When it comes to safeguarding data, third-party partners, such as business process outsourcers (BPOs), have emerged as de facto extensions of the modern enterprise organization.
In today’s modern enterprise, intangible assets such as intellectual property, customer information and other critical data account for more than one-half of the organization’s value worldwide, according to Brand Finance, a consultancy specializing in the valuation of intangible assets.
Enterprises are increasingly entrusting these assets to external partners, with 57 percent of those studied sharing critical consumer information with third parties or BPOs, according to research from the Ponemon Institute. Further, global IT outsourcing now amounts to a $287 billion market that’s growing at a compound annual rate of 6.5 percent, according to Gartner.
However, businesses are encountering significant risks. Nearly two-thirds, in fact, have repeatedly experienced a breach of consumer data that had been outsourced to a vendor, according to the Ponemon study. In 56 percent of the cases, companies discovered the breach by accident, in contrast to just 27 percent of cases that were revealed by security/control procedures.
Overall, 28 percent of threat incidents are attributed to third parties, up from 20 percent in 2010, according to PwC. Despite the trend, less than one-third of organizations require third parties to comply with their policies. Three-quarters have not developed a complete inventory of all third parties that handle personal data relating to employees and customers. Roughly one-half say they do not or are unsure whether they monitor the security and privacy practices of the vendors with which they share sensitive or confidential consumer information on an ongoing basis, Ponemon reports.
Meanwhile, only 43 percent of vendors can demonstrate proof of reasonable security practices and a mere 21 percent continuously train their security teams. Vendors are also falling short on encryption, as only 43 percent of those studied encrypt sensitive data in motion and at rest. That could stand out as the most glaring of lapses, because data-centric encryption, particularly as it applies to the sharing of data and intellectual property, is proving to be business-critical.
Encryption solutions exist that enable companies to maintain full administrative control over the files and data they share with their partners, outsources and network of stakeholders. Outsourcers need to leverage object-level, data-centric solutions that ensure shared data is secured whether on-premise or in the cloud, accessed by a desktop or mobile device. Indeed, BPO partners can gain a distinctive advantage over competitors by effectively deploying object-level encryption. In doing so, BPOs will convey a more substantial security posture by locking down vulnerable data at the cross-border and network level.
To be clear: BPOs should not abandon traditional, perimeter-based tools such as firewalls, endpoint-protection products and anti-malware solutions, but their mindsets should transform from perimeter-centric to data-centric. Through object-level encryption, security follows the flow of data instead of the flow of the network. Thus, when hackers gain access to third-party systems (and they will), they’ll conclude that the “plunder” within – the data – is useless due to the advanced key management, identity oversight and policy implementation characteristics of object-level encryption.
With proper key management, teams designate a unique key for every data file with on-device encryption. Then, identity oversight determines who receives the key, to verify that the users in question merit the access. The policy component of this three-layer “cake” imposes authoritative control over any and all data. Security teams and business leaders define access controls down to the smallest details – including what can be printed, what can be called up on “view only” and whether copy-paste restrictions apply. These teams and leaders can view file history and – if it’s necessary for data protection – immediately revoke availability.
One simply has to read the most recent headlines about breaches to comprehend the urgency at hand. The 2013 Target hack, of course, stands out as a textbook example, as cyber criminals stole network-access credentials from a heating, air conditioning and refrigeration contractor hired by the mega-retailer.
That’s why encryption must play the leading role in safeguarding the enterprise’s data. Adversaries, after all, aren’t plotting their next network attack in the interest of a sporting challenge. They want to grab the data inside of the network and exploit it to its maximum potential. When the strategies of outsourcers and their client organizations focus on object-level encryption, hackers discover that the data is as worthless to them as Monopoly money – paving the way for the partnership to endure in a productive, secured manner.
For more articles like this, subscribe to our email newsletter.