A decision by the U.S. Customs and Border Protection (CBP) agency to suspend Perceptics, a provider of vehicle identification and license plate recognition technology, from doing business with the Federal government should serve as a wake up for organizations that work with data that doesn’t belong to them.
Perceptics last month was victimized by a data breach that resulted in 50,000 American license plate numbers along with 100,000 photos of travelers being made available on the dark web. The CBP this week alleged that under the terms of its contract with Perceptics that data should never have been on the Perceptics systems that were hacked in the first place. Pending a final decision, Perceptics now finds itself suspended from all Federal contracts.
Perceptics disputes the characterization of its culpability for the breach, so it remains to be seen whether the suspension is temporary or permanent. However, every cybersecurity professional knows there is a tendency to copy data to apply it to everything from analytics to application development. The issue that creates is that with each copy of data made the potential liability of the organization making that copy increases exponentially.To reduce the potential for disaster cybersecurity teams should routinely make an inventory of how many copies of data sets are distributed through the organization. Click To Tweet
To reduce the potential for disaster cybersecurity teams should routinely make an inventory of how many copies of data sets are distributed through the organization. Chances are high that at least half the data any organization has is a redundant copy of some other data set. Short of consolidating systems, eliminating all those copies of data sets would do more than almost any other initiative toward reducing the size of the attack surface that needs to be defended.
Arguably, holding third-party contractors more accountable for the way data is managed and secured is long overdue. Many of the processes that are in place today are downright sloppy. Personally identifiable information (PII) can be found on almost every system. All that PII data only increases the amount of risk those organizations and their customers wind up incurring for no better reason than the fact that it was more convenient to make another copy of the data set. It requires some additional steps to eliminate PII data but given the very real possibility of being barred from ever working with a customer again, it seems that time and effort is now worth more than ever.
Longer term, it will be interesting to see how many organizations start suspending contractors because of a data breach. There can be no doubt organizations are being held more accountable for IT security than ever. Issues that may have been swept under the rug in the name of business expediency are no longer being allowed to slide. Internal IT organizations are much less inclined to take one for the team when data breaches might result in someone getting fired because the organization was fined or barred from doing business with a customer.
In the meantime, enhanced cybersecurity clearly starts with better data management hygiene. The hard part is, of course, convincing everyone inside the organization that, like it or not, the time to clean up their data management act has well and truly arrived.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.