Yes, supply chain risks are REAL and ever-present. Here are six reminders for cyber defense teams to always check against…

In May 2023, another social media platform disclosed a data breach wherein a third party support agent’s account was hacked.

The breach had compromised Discord users’ email addresses, the messages exchanged with the support team on the platform, and any attachments that were part of the conversations.

Despite all efforts to immediately inform affected users and deactivate compromised accounts, much stolen information would have fallen into criminal hands — data that could be put on hold indefinitely before being used to ensnare victims when they have already let down their guard in future.

Jamie Boote, Associate Principal Consultant, Synopsys Software Integrity Group

Six data security priorities

While users are advised to observe password and cybersecurity best practices online, organizations shoulder grave responsibilities and regulatory obligations to keep data secure. Here is a short checklist for IT teams to abide by…

    1. Take a top-down approach to protecting data. Start with a policy and standards that classifies all types of data your team would expect to create, collect, store, or generate.
    2. Once these data classification standards are in place, catalog where all sensitive or privacy data is collected, handled, or stored into an inventory. You cannot protect something if you do not know where or what it is.
    3. Third-party partners add an additional layer of complexity because firms often have to grant access to data that should be protected by third-party partners that have different levels of security around data access and protection, security policies, and exposure. When providing access to a third-party, their attack surface becomes your attack surface.
    4. Protecting client data is extremely important because this type of sensitive information getting leaked often leads to reputation risk for the organization, whether its sensitive Personal Identifiable Information (PII) or credit card transactional data protection required by the Payment Card Industry Data Security Standard (PCI DSS) standard.
    5. Organizations have a responsibility to protect this data, as very often the lack of action can not only lead to legislative fines but also class action lawsuits due to the data breach.
    6. After the privacy data inventory is built and maintained, controls around protecting data while it is at rest, in transmission, and its secure disposal, can be applied throughout the environment. These controls can include encryption to protect its confidentiality while being stored or transmitted, identity access management controls to prevent unauthorized parties from accessing it, and segmentation controls to limit the reach if an attacker does gain access to a portion of the internal infrastructure.

As always, never underestimate the people problem and ensure that admins, managers, and operators are all given security awareness training to ensure that they do not engage in risky behavior such as leaving laptops with this data in cars; getting infected with ransomware or malware, or other risky cyber incidents.