What happens when your security vendor isn’t so secure?
As we approach Data Privacy Day on January 28, I’ve reflected on what I’ve written in the last few months as to what happens when major businesses don’t do enough to protect consumer data, why they need to do better, etc.
Today I want to explore what happens when the business at the center of the breach is a company that has, fundamentally, a mission to help organizations protect their data.
This morning we learned Microsoft accidentally exposed 250 million customer service and support records online. These records span 14 years, from 2005–2019, and contained a range of sensitive data; customer email addresses, IP addresses, locations, and case numbers, resolutions, and remarks.
Thankfully, once they learned of the breach, Microsoft resolved the issue within 24 hours.
Microsoft has been and continues to be a Titus partner. If this could happen to Microsoft, it can happen to any organization.
Practice what you preach
As security vendors, we talk a lot about what our customers must do to keep their data safe.
That’s not enough.
We need to foster a sense of trust with our customers.
Once a customer deploys one of our solutions, we’re inserting ourselves into their security strategy. As such, they need to know that we practice what we preach in terms of securing the data within our own environment.
This also isn’t a practice confined to Microsoft. I think it’s easy to read about large vendors and assume that your vendor is different because they’re smaller, faster, more responsive, or whatever the case may be.
Data security is something every vendor must always be vigilant about.
Tips to evaluate your security partners
Want to ensure you’re dealing with a vendor or partner that takes security seriously?
Consider the following:
1. How do they talk about security?
This boils down to one thing – are they using market terminology correctly? It sounds simple, but there are many vendors out there who claim to offer popular technology, however, their definition of that technology isn’t quite right. Titus sees this with the data classification industry, as there are a growing number of vendors claiming to offer “data classification”, but what they actually offer is “labelling” or another “lite” version of classification.
Understand what your organization means when they talk about a particular security offering and ensure the vendor is offering exactly what you’re looking for.
2. Rigorously test multiple scenarios and use cases
Have you ever looked at a demo from a vendor and were absolutely blown away by its ease of use? It’s a great feeling, isn’t it? Many of us know that this feeling can be fleeting when you realize that the solution that is purported to solve all of your biggest problems only offers a great user experience in a very specific scenario.
Sometimes this capability gap isn’t uncovered until you’re knee-deep in deployment issues.
So when you look at a solution within a proof of concept (POC) environment, be sure to test not only your specific use case, but one or two adjacent use cases that may pop up in the future. This will give you peace of mind that the solution you’re looking to purchase doesn’t just work in ideal scenarios but in all relevant use cases.
3. Putting all your eggs in one basket
As we’ve written about before, there are two schools of thought when it comes to security – investing fully in one platform or carefully selecting solutions that work together and offer the right elements for your organization’s specific needs.
While no scenario is completely risk-free, choosing only one vendor for your security needs (the platform option) makes your organization wholly dependent on that vendor to keep your data private and secure.
That’s an incredible leap of faith, particularly as many of these platform vendors have reported at least one significant data breach in the last couple of years.
As security vendors, we owe it to our customers to lead by example when it comes to data security.
After all, if we can’t protect the data within our organization, how can we protect the data within yours?