In response to reports that telecommunications giant Syniverse disclosed to the Securities and Exchange Commission last week that hackers had access to its databases over the past five years and compromised login credentials belonging to hundreds of customers, cybersecurity firm Panorays offers the following comment.
<p>When any part of the backbone of our interconnected ecosystem—service providers—falls prey to threat actors, we are all reminded that nobody, not even tech companies, is immune from cyberattack. The fact that attackers had access, potentially for years, to the EDT (electronic data transfer) environment should make all enterprises no matter what industry rethink their security posture. We need to accept the fact that situating data behind fortified perimeters is only one method of protecting data, and one that hackers can overcome with enough time, patience, and creativity.</p>
<p>What then? Organizations need to adopt more data-centric protections such as tokenization and format-preserving encryption to guard against hackers getting directly to the sensitive organizational data which is always their main target. Data-centric security replaces sensitive data elements so that, no matter who gains access to it, the attacker cannot read, understand, or leverage that information. Hopefully, every enterprise can receive this critical message: better ways to protect your valuable data are out there, so you simply have to prioritize it. An unwelcome breach will certainly do that.</p>
<p>The recent cyber incident involving telecom giant Syniverse is just one more example of how a third-party breach can impact millions. In this case, Syniverse, which works with companies like AT&T, T-Mobile and Verizon, discovered that hackers had access to billions of text messages over the past five years through approximately 200 clients. While one might be inclined to think that endless text messages seemingly containing nothing more than lots of emojis are worthless, that’s not the case. The reality is that those texts are someone else’s private data that could communicate business data—and that data can be bought. Therefore, this constitutes a massive breach.</p>
<p>Cyber incidents like these illustrate why it’s so crucial for organizations, when assessing the security of their third parties, to understand the context of the business relationship with each third party and how much risk is involved. For example, if you are working with a vendor that is connected to all of your infrastructure, you must be sure to comprehensively assess and continuously monitor their cyber posture, as well as remediate any cyber gaps.</p>