External Data Security and Vendor Risk

The Case for External Data Privacy (EDP) Controls for Organizations and their Affiliates/Partners

Leading information security professionals at organizations of all sizes, both public and private, may be operating with several dangerous blind spots, which threaten to undermine their significant investments into cybersecurity.  Because of these blind spots – and more importantly ambivalence about the risks they pose – organizations are exposing themselves to potentially catastrophic data breaches and the costly repercussions that typically follow.  The disquieting truth is that while organizations have been hardening networks and educating work forces about data security best practices for decades, the focus has been predominantly trained upon internal data security. 

There is too little mainstream discussion of “external data security” as a threat category and the critical vulnerability posed by failure to focus on this emerging risk.  The purpose of this paper will be to clarify what constitutes “external data”, to illustrate the predominant avenues through which it is leveraged by criminals.  Then, to suggest best practices for mitigating this clear and present danger to your organization by ensuring robust External Data Privacy (EDP).

What is External Data?

At Privacy Bee, “external data” is defined as all Personally Identifiable Information, or PII, on every member of an organization’s workforce that is – whether knowingly or unwittingly – accessible or available outside of the employee’s or the organization’s security perimeter .  From C-level executives to mid-level management to the rank-and-file of the labor pool – even for external contractors like freelancers and 1099 independent contractors – any PII related to the workforce and even their immediate families available via People Search Sites, Data Broker sites, Paste Site, public directories, or any other public-facing site is considered external data.   Additionally, external data also includes the PII of every employee or agent within each vendor with whom your organization does business. 

“The PII of any person enjoying any level of secured access to your information systems is considered external data and increases the risk profile of your organization.“

Currently, there is a broad disconnect between data security policies/practices, and the nature of the threats facing CISOs, CIOs and their organizations when it comes to protecting the enterprise from data breaches.  Even as the frequency and severity of social engineering cyber attacks grows, many InfoSec pros are not facing the problem head on.  In industry after industry, unsecured external data is being harnessed by bad actors to successfully launch ransomware, phishing and other social engineering attacks.

 For example, the FBI issues two industry notifications in a single week of September 2022 to the healthcare sector, warning of criminal targeting of PII thefts at medical payment processors.   

Forbes Tech Council, in late 2022 revealed the shocking numbers from a poll of Dow 30 executives.  One hundred twenty-four C-suite executives reported extremely sensitive external data or PII had been exposed leading to breaches of consequence.  Forbes Tech Council figures included:

•          77% of executives having their physical addresses exposed on the dark web
•          74% of executives having their phone numbers exposed on the dark web
•          Over 40% having their LinkedIn profiles exposed
•          25% having corporate passwords exposed!

The report even revealed that one executive from every single company listed on the Dow 30 had had their physical, home address exposed! 

Clarifying the PII Dialogue

Many organizations already have policies and practices in place to protect PII – but only the PII of their customers (which is internal data).  There is clear awareness and sensitivity on the part of organizations to protect the PII entrusted to them by customers, donors, campaign supporters, students, patients, etc.  Already leery, most customers/patrons are uneasy about handing over credit card information, social security numbers, addresses, phone numbers and other PII.  However, they must presume that reputable organizations go to great lengths to convey trust and security to their audiences and take great care to be good stewards of that data.  And to a large extent, most organizations do.  Yet, if they fail to recognize and address the external data threat, their efforts may be in vain.

The disconnect between policies designed to protect customer PII held in internal data structures and employee PII available from a mushrooming array of data brokers and external sources is where the vulnerability exists.  It is this very vulnerability cyber criminals are leveraging to power social engineering scams, and therefore those avenues of criminal activity are seeing the greatest growth at this time.  It is also why data brokerage as an industry is projected to reach $462 billion by 2031 according to Transparency Market Research data.

It is not news to any CISO or CIO that external threats to data security exist.  Malware, phishing, spear phishing, Smishing, Vishing, DDoS attacks, ransomware and a host of other attack vectors falling under the heading of “social engineering” attacks are most certainly known threats for information security professionals.    The disconnect or misalignment can be seen in the methods most organizations continue to apply to interrupting or otherwise hardening their systems against these threats.  Some of the most employed tactics to combat data threats today include inward-facing practices including: 

•          Data Masking
•          Identity Access Management
•          Data Encryption
•          Password Hygiene
•          Data Loss Prevention
•          Anti-malware, Antivirus and Endpoint Protection
•          Cloud Security
•          Email Security
•          Firewalls
•          Workforce Awareness Training
•          Zero Trust security models 

To illustrate how, in spite of all these strategies, organizations still remain vulnerable to external data security threats, look no further than a data breach of the Federal Bureau of Investigation’s InfraGard.  In December 2022, InfraGard, a program designed by the FBI to build cyber and physical threat information sharing partnerships between the government and the private sector, was hacked.   A database of contact information on more than 80,000 members was revealed to be available for sale online via a notorious cyber crime marketplace.   The FBI’s own cyber threat unit was brought low not by a deficiency in any of the above listed security practices. 

 Rather, as reported by security news and investigation outlet KrebsOnSecurity, the FBI’s “database of contact information on more than 80,000 members [went] up for sale on an English-language cyber crime forum. Meanwhile, the hackers responsible [were] communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.”

Yes, a vaunted program built by the FBI and involving what is described as “a vetted Who’s Who” of cybersecurity professionals for companies managing the nation’s vital infrastructures like drinking water and power utilities, banking firms, communications networks, nuclear energy companies, transportation, manufacturing and more, was infiltrated and compromised.  Not because the bad guys got through the hardened encryption or endpoint protection or firewall.  But because a corporate CEO was duped out of revealing his credentials.   

This profound example perfectly illustrates the two predominant avenues cyber criminals have been leveraging to exploit weak external data security, even at the highest levels.  These two avenues are: 

1. Ready access and availability of Personally Identifiable Information (PII) via external sources, and
2. Myopic Vendor Risk Management Policies which fail to account for how external stakeholders’ (ie vendors’ employees) PII data can be weaponized

The fact is, easy access to PII is what drives the explosion in social engineering attacks that have become the primary driver of data breaches in the US.  As published in The 2022 Incident Response Report from cybersecurity firm, Palo Alto Networks, the following graphic visualization illustrates criminals’ increasing preference for exploiting external data privacy gaps.  Note that in 2022, attacks on internal data structures through brute force credential attacks and through hacking to exploit software vulnerabilities were responsible for a combined 40% of initial, unauthorized access to information systems.  On the other hand, Phishing, Social Engineering and otherwise compromised credentials made up 48% of unauthorized access.  Clearly, the perpetrators of cyber crime favor social engineering as the most effective method of breaching defenses and either stealing or extorting money from their victims. 

Gartner research concurs and confirms the trend offering the following strategic planning assumptions for organizations seeking to get ahead of the wave of social engineering crimes.  What’s notable is that Gartner suggests that awareness training alone is insufficient, and that cybersecurity performance will be built into executive compensation packages.  These two findings underscore the exigent need for cybersecurity solutions which include External Data Privacy tools to work alongside the internal security counterparts.

By 2025, 40% of cybersecurity programs will deploy socio-behavioral principles (such as nudge techniques) to influence security culture across the organization, up from less than 5% in 2021. By 2026, at least 50% of C-Level executives will have performance requirements related to cybersecurity risk built into their employment contracts.

Gartner research found that 93% of employees performing certain unsecured actions in the workplace already knew their behavior increased risk to their organization — further indication that security awareness training alone has little discernible influence on employee work practice.”  

– CISO Foundations: Build a Culture of Security Consciousness – Introducing the Gartner PIPE Framework

Why Has the Criminal Strategy Changed?

Information Security has become a victim of its own success.  Due to the strength of the fortifications listed above and the difficulties involved in breaking in directly, cyber criminals have concluded the battle is not worth fighting.  It is too difficult and time consuming to break through heavily fortified networks – via brute force or other methods – to deploy a ransomware attack, steal intellectual property or even siphon away customer PII like credit card info or social security numbers.  Working smarter for today’s criminals means finding alternative access.

That’s where external data – PII but not customer PII, rather employee or vendor employee PII – fits into the picture.  Proliferating data brokers, People Search Sites and other data aggregators are proving to be a bonanza for hackers and criminals.  While it is difficult to break encryption or circumvent a firewall as a means of gaining access to protected networks, it is very easy to find out when a network administrator (let’s call her Janet) has purchased a home.  Or perhaps Janet has undergone a surgical procedure, or had a child recently accepted to university, or taken a recent trip to Portugal. 

All manner of data is routinely captured by every individual’s interaction on the internet.  Every website visited – Janet’s realty group website, her medical group website, the university admissions website and the online travel agent website she visited – captures and chronicles her personal information. For a modest fee, a cyber criminal can purchase Janet’s PII and then use what they learn about her recent activities to power social engineering attacks. 

Janet may be well trained in maintaining a critical eye when it comes to emails she receives about work-related topics.  Her defenses may be more easily disarmed by a link in an email appearing to be from her medical group suggesting her test results are ready for review. Janet may not think twice about clicking a link appearing to be from the hotel where she stayed in Ibiza to address an additional room charge which accrued after she’d checked out.  

The frightening fact is, this externalized PII is available for every single employee within and adjacent to your organization, making every single person with login credentials to any of your internal information systems a viable, and easy target for social engineering, doxing, telemarketing spammers, and even HR poaching.  You may innately understand what is involved in hardening internal data security.  But how are you supposed to deal with the external online activities and habits of your entire workforce and those of your vendors and third-party business partners? 

Interrupt the Exploitation of External Data

The Privacy Bee Business Platform is designed to cast a protective shield over an entire organization.  This includes all employees, their families, contractors, freelancers and even employees of vendors with whom your systems may integrate. 

Containment

With a burgeoning database of 350+ data brokers, People Search Sites and other data aggregation sources.  Privacy Bee Business service works to scrub your employees data from all major data brokerages, People Search Sites, etc. and then takes the additional step of cleaning up any previously exposed information from major search engines. 

Employee Risk Management dashboards allow an organization to set minimum thresholds for exposure – the Employee Risk Score – and then provide visualizers to monitor each employee’s risk profile.  Keeping the entire staff within acceptable tolerances helps safeguard your organization against targeted attacks. 

External Data Privacy Audit discovers and analyzes data exposures for your employees and also for your vendors.  Another centralized dashboard helps keep close tabs on external data exposure and the impacts this has on productivity.  The application performs financial risk assessments to deliver estimated costs of external exposures.  The dashboard provides metrics such as “Company Risk Scores”, “At-Risk Vendors”, “At Risk Employees”, “Top Exposure Sources” and others.  These External Data Privacy metrics support active, quantifiable governance over risk tolerances and deliver a concrete method for measuring progress as you reduce the organization’s external data risk.

Vendor Risk Management delivers control over vendor access to external company data and allows an organization to enforce its information security policies by extending them over the vendor organization as well.  Dashboards for Vendor Risk Management display Vendor Risk Scoring, and allow you to set a minimum vendor score.  If any vendor cannot meet the minimum security threshold, they can be removed or suspended until they mitigate the identified risk to attain compliance with your policy.   

Privacy Bee Business sets up 24/7/365 privacy monitoring and delivers a configurable interface for organizations to make and enforce compliance with privacy choices.  This includes

Where are the Weak Points?

You cannot manage what you cannot measure.  Privacy Bee for Business helps organizations serious about External Data and Vendor Risk Management identify the unknown unknowns of their risk profile.  Begin today with an External Data Privacy Audit and then learn more about the entire suite of solutions to protect your organization against risks and threats to your operations.