The recent Air India data breach of about 45 lakh customer information of Air India flyers, had become headlines across Indian and around the world. Along with personal information, passport and credit card were compromised too.
Though this Air India data breach is not a first of its kind in India, and would not be the last, what is different, is data was compromised from a third party SITA – a global information technology company.
The cyberattack on SITA was disclosed in February 2021, which impacted major airlines across the world, including Lufthansa, Singapore Airlines, Cathay Pacific and many more.
Though no airline systems were directly attacked, it raises concern on how cyber attackers are finding it easy to use third-party services and product providers, rather than spend effort and time penetrating the cyber defenses of an enterprise.
There is a lesson in Air India data breach for all of us and not just the airlines’ industry. Often, we leave our supply chain partners out of our security architecture leading to fatal consequences.
A holistic approach to data security is the need of the hour, which not only includes the internal stakeholders but also partners in the supply chain. While organisation spend a lot of effort securing their enterprise network, risk assessment of partner networks is rarely done, leaving a big gap open to be compromised.
As attackers start mapping supply chain providers of an organisation, we will see an increase in the number of such attacks. Lack of visibility and control will leave a blind spot ready to be used against you. Cyber defenses now need to be extended beyond your network and cover their partner network, processes, and employees too.
Few steps that can be followed by enterprises to mitigate the risk involved in such attacks
- Limit the amount of data to be shared. While it may be a business necessity to share your customer data with a third party, look at the risk involved in sharing such data. Can the shared data be limited? Relook at the information shared, especially, financial information like credit cards, or medical information.
- Do regular audit and assessment of third-parties systems handling your data. You need to be diligent with third parties as you are with your own enterprise. Any weakness in this link will only weaken your enterprise security.
- While outsourcing does provide value in reducing cost, you should not be locked into a single vendor. Plan your exit strategies and build redundancy in your operations. At times, heavy dependency often leads to neglecting security as you may not want to disturb an existing running setup.
- It is your responsibility to ensure the privacy of your customer data. Gain visibility in the threat surface of your data and how threat actors can exploit your outsourced partners to gain access to your systems or data. Enforce zero trust when allowing access to your critical systems.
- To maintain good data security health work with your partner as a team. Partner employees need to follow the same policies as would your employees and made an equal stakeholder in maintaining the overall data security of your organisation.
As we collaborate more and more with one and other, security risk will only increase. Being aware of this risk and taking steps to ensure that everyone in the chain, who has access to your data, is equally involved in securing your data, is the only way forward. Leaving security to your supply chain will only lead to more disasters.
(This article is written by Sonit Jain, CEO – GajShield Infotech. The views expressed in this article are of the author.)
(Image source – National Herald)