A small, family-owned hardware store sits on the main street of a quiet town in rural Michigan. During its peak season, the company serves about 40 customers a day for an average sale of US$9; roughly half of them pay by credit card. All of the company's credit card transactions feed digitally through a bank in Detroit.
From a hacking perspective, this store doesn't even warrant a blip on a digital thug's radar. So imagine the surprise when customers of mom-and-pop stores across the country got a letter last year telling them their credit card information had been exposed in a bank compromise. In other words, these stores were collaterally hacked.
Collateral hacking occurs when an entity trusted with critical data is compromised. It's becoming a huge threat as low-risk businesses pool their data and create an aggregation point that's an attractive target for attackers. Beyond targeted hacks, the consequence of having data duplicated by an external entity is disturbing. Consider the number of recent incidents involving data being accidentally exposed by people not necessarily trying to steal it (think bank backup tapes and the U.S. Department of Veterans Affairs' hardware theft.)
An unexpected degree of risk is taken when data goes external. This includes data going to a software-as-a-service provider (for example, Salesforce.com or ADP), an error log with customer data going to a software vendor or systems integrator, or credit card data for a transaction that gets pushed through a bank.
Aggregation can do weird things to risk economics. Take crash dumps or logs. Unless there's a big incentive to hack into your company specifically, the chance of someone plowing through your application crash dumps or error logs is pretty small. But imagine targeting a systems integrator that has tens of thousands of these logs. It's likely to be a fairly simple data mining exercise to scan through these files quickly and use automation to look for credit card numbers.
The key to curbing collateral hacking is to find out where your company's data is flowing. Think about partners, service providers, software vendors, anything outsourced -- for example, payroll or credit card processing. Then ask, "What do I know about how data is treated when it gets there?" Given enough important data in one place, your data could make one of your partners a more attractive target than the Pentagon.
Next, you need to assess how that data is handled. It's becoming increasingly acceptable to augment service-level agreements to include requirements for external security audits and staff training around security.
In an ironic twist, it tends to be the most critical data in small and midsize companies, such as credit card transactions, payroll information and customer contacts, that gets sent to service providers. With the risk of collateral hacking looming, companies need to look with a paranoid eye at service providers that process this critical data.
Choose wisely; miffed customers tend to blame the guy at the store counter; not the back-end organization that ultimately lost a massive amount of data.
Thompson is a well-known book author on computer security. He can be reached at firstname.lastname@example.org.