third-party security | Security Magazine

How the pandemic forces the security industry to modernize

January 7, 2022

Enterprise security leaders are managing the shift to endemic COVID-19 and the prolonged health risks of the pandemic. Here’s how the security industry has shifted over the last nearly two years.

End-to-end encryption and securing data

Matt Perdew

August 23, 2021

What steps can a company take to provide sufficient redundant security so a vendor breach doesn't result in financial damage?

Improve supply chain security with intelligence from surface, deep & dark web

Tyler Logtenberg

July 1, 2021

Threat intelligence is only one piece of the puzzle when it comes to improving supply chain security. As part of protecting the supply chain and reducing third-party risk, here's how your organization should get started.

Data of more than 100 million Android users exposed by mobile app developers

May 21, 2021

Researchers at Check Point Research analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to more than 100 million users. In a report published recently, the firm discusses how the misuse of real-time database, notification managers, and storage exposed over 100 million users’ personal data (email, passwords, names, etc.) and left corporate resources vulnerable to malicious actors.

5 minutes with Ben Johnson - SaaS apps security issues

Maria Henriquez

May 19, 2021

Ben Johnson, former NSA and Chief Technology Officer (CTO) of SaaS application security firm, Obsidian, has found that businesses around the world are adopting Software as a service (SaaS) apps in droves for collaboration, ease of access to data and business continuity. With this increased adoption, comes the inevitable trend of state-sponsored actors merely logging in to steal data rather than having to break in. Here, Johnson talks to Security magazine about security issues associated with SaaS applications.

Zoom joins CVE program as a CVE Numbering Authority (CNA)

May 3, 2021

Zoom has joined the CVE Program as a CVE Numbering Authority (CNA). The CVE Program’s overall mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities that require third-party notification or coordination to fully remediate. Cybersecurity and IT professionals use CVE records to ensure they are discussing the same security issue, coordinate their efforts, and prioritize and address vulnerabilities. The program is an international, community-based effort and relies on the industry norms of the responsible and coordinated security community to discover vulnerabilities.

5 minutes with Tony Howlett - Vendor risk management needs to be a top security priority in 2021 and beyond

Maria Henriquez

March 29, 2021

The recent SolarWinds breach has brought vendor risk management into the spotlight. With 59% of data breaches being traced to third-party vendors and the average enterprise having 67 vendors with privileged access, managing third party risk is no longer optional, says Tony Howlett, Chief Information Security Officer (CISO) of SecureLink. Here, we speak to Howlett about why security and risk professionals need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.

Third-party risk requires risk management and assessment for the enterprise to ensure third-parties don't threaten their security

Third parties: The risk management blind spot

David Pignolet

December 10, 2020

While providing access for third-party, non-employees is critical to meeting business objectives, it oftentimes has the unintended consequence of exponentially increasing an organization’s attack surface. With the proper identity-proofing practices and capabilities in place, organizations can verify the identities of their users, support risk management initiatives and better protect critical assets – eliminating the third-party risk management blind spots.

EDPB issues guidance for cross-border data transfers in wake of Schrems II judgment

The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.

David M. Stauss

July 28, 2020

In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment. The six-page FAQs provides the following guidance.

5 Tips for Minimizing Third-Party Risk

Grant McCracken

June 18, 2020

Outsourcing has become a vital part of most business strategies. Not only is it a way to save money, but it’s a simple way to take advantage of expertise you might not currently have in house. But outsourcing can also leave companies vulnerable if the third-party doesn’t have proper cybersecurity procedures.