The digital age breeds constant change, and none more powerful than the availability of data and more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, it's troubling that this discernment doesn’t carry over to the digital environment where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.
Impending regulations and the changing political landscape require a more cautious approach to the collection, use and sharing of personal data. Threats of not only hefty fines, but also long-term reputational damage induce enterprises to take a closer look at their OWN websites and mobiles apps to understand exactly which partners execute code and which capture personal data. This basic knowledge—standard elements in a vendor risk management program—could very well be the key to mitigating future troubles if adapted for a digital-first economy.
Thanks to more than 1500 data breaches in 2017 alone that exposed more than 9 billion personal records and ongoing high-profile consumer data misuse, data privacy issues dominate today’s news headlines. Not just a flash in the pan, data privacy issues present critical, long-term challenges that affect both U.S. citizens as well the U.S. economy.
The U.S. government has taken notice. Federal and State governments are instituting new data privacy laws that will include significant penalties against companies. California was the first state to enact a security breach notification law. Following suit, Illinois State Legislature also passed a ground-breaking data privacy bill requiring internet companies and entities to clearly communicate to consumers about the collection of geolocation data, purpose of the data, and with whom it is shared, e.g., business partners. Massachusetts State Law mandates the technical, physical and administrative security protocols required to protect personal information as well as a full-scale security program. Thus far, 48 states in all have enacted privacy laws requiring notification of security breaches involving personal information. Echoing global initiatives, especially the EU’s GDPR, the trend to more closely govern personal data will continue.
While efforts are being made to identify personal data sources across the enterprise, very few address the digital environment, specifically their own websites and mobile apps designed for public consumption. Many companies look to their IT departments to ensure that their website is operational, but many departments such as marketing, product, legal, and more contribute to this digital environment. As a result, no one individual or department directly manages the entire corporate digital footprint. Making matters worse, the internet’s highly complex and dynamic environment means a host of third parties operating outside the IT infrastructure are relied upon to render final, consumer-facing content such as product research, price comparisons, recommended content, product reviews, social media feeds, and more.
This is a serious problem in today’s changing regulatory environment. Third-party code accounts for 50-78% of a typical website’s code base. While companies test their own code, they cannot see nor test code from those third parties that have unfettered access to the personal data of your digital consumers. Premier analyst firm, Gartner projects these kinds of “shadow IT” sources to be the root cause of 33% of security problems by 2020. The lack of general digital oversight combined with third-party code poses significant security and legal risks for corporations.
In this ever-changing digital morass, it is not enough for corporations to leave their digital risk to chance. Collaboration from all corporate levels—from the boardroom and security/IT to marketing, risk and compliance departments—is necessary to effectively govern digital assets. To avoid regulatory scrutiny, enterprises need to oversee this new frontier and update vendor risk management strategies to include the digital environment.
This digital vendor risk management plan should outline rules, technologies, procedures and best practices for all parties executing in websites and mobile apps with particular attention paid to those third, fourth and fifth parties. Organizations need to discover and identify all active digital vendors and communicate their digital asset management policy, a process to inform partners of expectations and set parameters to measure compliance with relevant policy directives. With continuous monitoring, companies can proactively detect unauthorized digital activities, block code and remediate any damages with the offending vendor. In addition, a documented and operationalized process creates an audit trail.
A sound digital vendor management strategy is key to protecting personal data traversing the digital ecosystem, unchecked. These steps can protect corporations from regulatory scrutiny while enhancing brand reputation and customer satisfaction. You have the power to protect personal data, wield it.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.