We now live in a post-breach world. What does that mean? It means some of the most secure computer networks in the world have already been breached. We can no longer live under the fantasy that networks can be 100% hardened against all attacks. As a result, we need to look at digital identity protection and third-party risk in new ways.
Digital identity protection is more important than ever thanks to record levels of both online fraud and identity theft. Meanwhile, third parties face their own risks – particularly those related to liability – when breaches do occur.
Protecting Digital Identities
The foundation of everything this post discusses is the digital identity. Anyone who has ever been online has a digital identity. Furthermore, ID information that was once contained only in paper documents has all been converted to digital records. So a typical consumer’s digital identity is scattered all across the internet. It touches everything from driver’s licenses to Social Security numbers to bank accounts and social media profiles.
Organizations and third parties have an obligation to take certain measures designed to safeguard sensitive data. There are liability issues if they don’t. As such, they rely on:
- Monitoring and detection – Organizations strive to quickly identify and mitigate data leaks, especially those shown to be the result of third-party breaches.
- Proactive security – Organizations also work to implement robust security strategies designed to prevent unauthorized digital identity access.
- Education – Educating both consumers and third parties about the importance of protecting personal information is an ongoing exercise in the fight against identity theft.
Denver-based DarkOwl, a company that specializes in threat intelligence and darknet data, explains that there is no room for organizations or their third-party partners to take identity theft risks lightly. Identity theft is one of the most common cyber-crimes around because it is both profitable and easier to pull off than other cyber-crimes.
Third-Party Risk Management
For organizations working with third parties, the need to continually assess risk is understood. DarkOwl explains that the industry recognizes the practice formally as third-party risk management (TPRM). TPRM is a comprehensive strategy of identifying, assessing, and managing the risks associated with doing business with external partners and vendors. It is necessary for the following reasons:
- Digital transformation has significantly increased the attack surface for most organizations.
- Third parties do not necessarily adhere to the same level of security.
- Regulations often require organizations to manage the risks posed by their third-party partners.
In the event of a breach, both organizations and third-party vendors are subject to liability. So even if protecting sensitive data to safeguard customers isn’t a priority, the prospect of significant liability should be enough motivation to ensure that both organizations and their partners do everything possible to prevent identity theft.
Adhering to Best Practices
Organizations and their third-party partners have access to a variety of tools and strategies for safeguarding sensitive data. I will not go through them in this post. It’s enough to say that adhering to industry best practices is the bottom line.
Organizations and their third-party partners should continuously monitor for threats. They should adopt a zero-trust architecture, integrate identity protection measures, continuously evaluate security control performance, and so forth.
Data breaches are always possible. Organizations must be ever cognizant of third-party risk and its potential to facilitate breaches. Otherwise, digital identity protection becomes a game of chance. It’s a game that organizations really do not want to play given that the stakes are so high. Maintaining the highest levels of security is a much better strategy.