Monthly Archives: September 2022

Investing in the Cybersecurity Infrastructure to Reduce Third-party Remote Access Risks

The purpose of this second-annual research study is to understand how organizations are investing in their cybersecurity infrastructure to minimize third-party remote access risk and what primary factors are considered when making improvements to the cybersecurity infrastructure. In this year’s report, we include the best practices of organizations that are more effective in establishing a strong third-party risk management security posture.

Sponsored by SecureLink, Ponemon Institute surveyed 632 individuals who are involved in their organization’s approach to managing remote third-party data risks and cyber risk management activities. According to the research, 54 percent of respondents say their organizations experienced one or more cyberattacks in the past 12 months and the financial consequences of these attacks during this period averaged $9 million.

The average annual investment in the cybersecurity infrastructure is $50.8 million. According to the research, incentives to invest in the infrastructure include solving system complexity and effectiveness (reducing high false positives) and increasing in-house expertise.

Since last year’s research, no progress has been made in reducing third-party remote access risks. The security of third-party remote access is not improving. Therefore, the correct decisions regarding investment in the cybersecurity infrastructure to reduce these third-party risks are becoming increasingly important. Respondents were asked to rate the effectiveness of their response to third-party incidents, detection of third-party risks and mitigation of remote access third-party risks on a scale of 1 = not effective to 10 = highly effective.

Only 40 percent of respondents say mitigating remote access is very effective, 53 percent of respondents say detecting remote access risks is very effective and 52 percent of respondents say responding to these risks and controlling third-party access to their network is highly effective.

The risks of third-party remote access

 In the past 12 months, organizations that had a cyberattack (54 percent) spent an average of more than $9 million to deal with the consequences. Most of the $9 million ($2.7 million) was spent on remediation & technical support activities, including forensic investigations, incident response activities, help desk and customer service operations. This is followed by damage or theft of IT assets and infrastructure ($2.1 million).

 Investments in the cybersecurity infrastructure should focus on improving governance and oversight practices and deploying technologies to improve visibility of people and business processes. Investment in oversight is important because of the uncertainty about third-parties compliance with security and privacy regulations. On average, less than half (48 percent) of respondents say their third parties are aware of their industry’s data breach reporting regulations. Only 47 percent of respondents rate the effectiveness of their third parties in achieving compliance with security and privacy regulations that affect their organization as very high.

 Data breaches caused by third parties may be underreported. Respondents reporting their organization had a third-party data breach increased from 51 percent to 56 percent. However, organizations may not have an accurate understanding of the number of data breaches because only 39 percent of respondents say they are confident that the third party would notify them if the data breach originated in their organizations.

In the past 12 months, 49 percent of respondents say their organizations experienced a data breach caused by a third party either directly or indirectly, an increase from 44 percent in 2021. Of these respondents, in this year’s research 70 percent of respondents say it was the result of giving too much privileged access to third parties. A slight decrease from 74 percent of respondents in 2021.

Organizations are having to deal with an increasing volume of cyberthreats. Fifty-four percent of respondents say their organizations experienced one or more cyberattacks in the past 12 months. Seventy-five percent of respondents say in the past 12 months there has been a significant increase (25 percent), increase (27 percent) or stayed the same (23 percent) in the volume of cyberthreats. The security incidents most often experienced in the past 12 months were credential theft, ransomware, DDoS and lost or stolen devices.

Managing remote access to the network continues to be overwhelming but the security of third parties’ remote access to its network is not a an IT/IT security priority. Sixty-seven percent of respondents say managing third-party permissions and remote access to their networks is overwhelming and a drain on their internal resources. Consequently, 64 percent of respondents say remote access is becoming their organization’s weakest attack surface. Despite the risks, less than half (48 percent) of respondents say the IT/IT security function makes ensuring the security of third-parties remote access to its network a priority.

Remote access risks are created because only 43 percent of respondents say their organizations can provide third parties with just enough access to perform their designated responsibilities and nothing more. Further, only 36 percent of respondents say their organizations have visibility into the level of access and permissions for both internal and external users.

The ability to secure remote access requires an inventory of third parties that have this access. Only 49 percent of respondents say their organizations have a comprehensive inventory of all third parties with access to its network. Of the 51 percent of respondents who say their organizations don’t have an inventory or are unsure, say it is because there is no centralized control over third-party relationships (60 percent) and the complexity in third-party relationships (48 percent).

Organizations continue to rely upon contracts to manage the third-party risk of those vendors with access to their sensitive information. Only 41 percent of respondents say their organizations evaluate the security and privacy practices of all third parties before allowing them to have access to sensitive and confidential information.

Of these respondents, 56 percent of respondents say their organizations acquire signatures on contracts that legally obligates the third party to adhere to security and privacy practices followed by 50 percent of respondents who say written policies and procedures are reviewed. Only 41 percent of respondents say their organizations assess the third party’s security and privacy practices.

A good business reputation is the primary reason not to evaluate the security and privacy practices of third parties. Fifty-nine percent of respondents say their organizations are not evaluating third parties’ privacy and security practices or they are unsure if they do. The top two reasons are respondents (60 percent) have confidence in the third party’s business reputation and 58 percent of respondents say it is because the third party is subject to contractual terms.

Ongoing monitoring of third parties is not occurring in many organizations and a possible reason is few organizations have automated the process. Only 45 percent of respondents say their organizations are monitoring on an ongoing basis the security and privacy practices of hird parties with whom they share sensitive or confidential information.

Of these organizations, only 36 percent of respondents say the monitoring process of third parties is automated. These organizations spend an average of seven hours per week automatically monitoring third-party access. Those organizations that manually monitor access (64 percent of respondents) say that they spend an average of eight hours each week monitoring access. The primary reasons for not monitoring third parties’ access is reliance on the business reputation of the third party (59 percent of respondents), the third party is subject to contractual terms and not having the internal resources to monitor (both 58 percent of respondents).

 Poorly written security and privacy policies and procedures is the number one indicator of risk.  Only 41 percent of respondents say their third-party management program defines and ranks levels of risk. Sixty-three percent of respondents say poorly written security and privacy policies and procedures followed by a history of frequent data breach incidents (59 percent of respondents) are the primary indicators of risk. Only 35 percent say they view the third party’s use of a subcontractor that has access to their organizations’ information as an indicator.

To read the full report, including charts and graphs, visit SecureLink’s website here

‘Data broker’ Oracle misleads billions of consumers, lawsuit alleges, enables privacy end-arounds

Bob Sullivan

At least one Big Tech firm has glided mostly under the radar during the recent techlash — Oracle — but that relative obscurity might be coming to an end. A class-action lawsuit filed against the data giant by some heavy-hitters in the privacy world alleges that Oracle combines some of the worst qualities of Google and Facebook, at a scale even those firms have trouble matching.  Oracle has incredibly intimate information on 5 billion people around the planet — and the lawsuit alleges that the firm trades on that information largely without anyone’s consent.

Oracle combines a variety of data it collects through its own cookies, data it buys from third parties, and data it acquires from real-world retailers, to harmonize billions of data points into single identities that can be targeted with political or commercial messages, the lawsuit says.  This “onboarding” of offline with online data creates uniquely detailed profiles of consumers.

“The regularly conducted business practices of defendant Oracle America amount to a deliberate and purposeful surveillance of the general population,” the lawsuit alleges. “In the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people.”

Oracle holds data on 300 million Americans, or about 80% of the population, according to the suit. Those individual consumers can be tracked “seamlessly across devices.” In a video posted by the plaintiffs, Oracle founder Larry Ellison boats that Oracle data can track consumers into stores, micro-target them right to the location where they stand in an aisle, and connect that to store inventory in that very aisle.

“By collecting this data and marrying it to things like micro-location information, Internet users’ search histories, website visits and product comparisons along with their demographic data, and past purchase data, Oracle will be able to predict purchase intent better than anyone,” Ellison boasts in the video.

The firm also builds extensive profiles of individuals, then places them into marketable categories.

“Oracle then infers from this raw data that, for example, a person isn’t sleeping well, or is experiencing headaches or sore throats, or is looking to lose weight, and thousands of other invasive and highly personalized inferences,” the suit says.

One of the plaintiffs is Johnny Ryan, Senior Fellow of the Irish Council for Civil Liberties, who I interviewed extensively for our recent “Too Big to Sue” podcast with Duke University.

“Oracle has violated the privacy of billions of people across the globe. This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle’s surveillance machine,” Ryan said in a statement about the lawsuit.

One serious claim the lawsuit makes: Oracle goes to great trouble to avoid consumers’ stated preferences *not* to be tracked — the firm combines various cookies to avoid third-party cookie blocking tools, for example.

“Data brokers participating in Oracle’s Data Marketplace freely portray themselves as able to defeat users’ anti-tracking precautions, a pitch at odds with Oracle’s privacy policies and its professed respect for the right of individuals to opt out,” the suit alleges. It cited a study that found “even when users specifically decline consent to be tracked, various adtech participants—including Oracle—ignore those expressions of consent and place trackers on users’ devices. The same study discovered that Oracle places tracking cookies on a user’s device before the user even has a chance to decline consent.”

The lawsuit also claims that Oracle also uses categories with clever names as an evasive maneuver to sell data the firm claims not to share.

“Oracle segments people based on intimate information, including a person’s views on their weight, hair type, sleep habits, and type of insurance,” it says. “Other categories appear to be proxies for medical information that Oracle purports not to share, like “Emergency Medicine,” “Imaging & Radiology,” “Nuclear Medicine,” “Respiratory Therapy,” “Aging & Geriatrics” “Pain Relief,” and “Allergy & Immunology.” ”

Oracle’s data marketplace also enabled racially-targeted advertising, even after Facebook took steps to stop it, the suit claims: “Oracle facilitates the creation of proxies for protected classes like race, and allows its clients to exclude on that basis. For example, one Oracle customer website describes how, after Facebook made it more difficult to target ads based on race in the employment and credit areas, Oracle helped it achieve the same result.”

Oracle’s data marketplace also permits activity that many would find a threat to democracy, the suit claims: “During the summer of 2020, Mobilewalla tracked mobile devices to collect data on 17,000 Black Lives Matter protesters including their home addresses and demographics. Mobilewalla also released a report entitled ‘George Floyd Protester Demographics: Insights Across 4 Major US Cities,’ which prompted a letter and investigation by Senator Elizabeth Warren and other Congress members.”

Some categories sold by data partners are incredibly intimate:

“OnAudience, a ‘data provider’ that profiles Internet users by ‘observing user activity based on websites visited, content consumed and history paths to find clear behavior patterns and proper level of intent,’ lets customers target individuals categorized as interested in ‘Brain Tumor,’ ‘AIDS & HIV,’ ‘Substance Abuse’ and ‘Incest & Abuse Support.’ ”

The suit alleges violation of California’s Unfair Competition Law and various other counts.  A good analysis of the plaintiff’s legal strategy can be found at this Twitter thread by Robert Bateman.

It’s good that Oracle’s time under the radar might be ending; the firm should be standing next to Google, Facebook, Apple, Microsoft and the other Big Tech names finally getting the scrutiny they deserve.