The gap in your CCPA /GDPR compliance strategy
High-profile breaches have pushed data privacy and security to the top of boardroom concerns. But what if your web applications are undermining your efforts to comply?
High-profile data breaches – and the reputational damage and fines that follow in their wake – have pushed data privacy and security to the top of the agenda in the boardroom. Billions of exposed personal records, class action suits and record-breaking fines have seen US companies that view GDPR as a top priority invest accordingly: 75% say they’ve budgeted at least $1m to increase compliance.
Chances are, your organization is already leveraging one or more compliance solutions. You’re making sure you have a cookie consent banner, a robust privacy policy and a thorough vendor risk management program.
But what if all those efforts might prove futile in preventing a data breach? What if your website was actively undermining all your efforts?
Sensitive data originating in the browser remains at risk
Most enterprises collect large volumes of sensitive data via web applications and third-party code integrated into their websites, such as online forms, marketing analytics and chatbots. Ths code runs in the browser and provides a rich user experience but, unvetted and unmanaged, it poses a significant risk to sensitive data. At the point of entry in the browser, it’s possible for cybercriminals to access vulnerable integrations and insert code capable of exfiltrating sensitive data. Payment details can be sold for up to $20 per record on the dark web; a single healthcare record is worth up to $50.
While the sensitive data collected by your website might be intended for a single, specified destination, code vulnerabilities and misconfigurations can potentially expose this to untrusted third-party services without your knowledge. Traditional compliance solutions are unable to discover these vulnerabilities on websites, leaving unintended gaps in your compliance strategy, with potentially significant consequences:
- Since CCPA came into effect on January 1 2020, a number of class action lawsuits have been filed against Salesforce and Hanna Anderssen, Walmart, Ring Home Security and Minted online stationery. In all of these cases, organizations are alleged to have failed to implement “reasonable security measures” to prevent the breach, exposing thousands of customer records to fraud and other untrusted parties.
- The largest GDPR fine to date, $230m, was charged against British Airways due to a client-side data breach orchestrated by a Magecart attacker group.
Privacy by Design for web applications
To fully mitigate risk, organizations should secure all data present on their servers, cloud applications, containers, endpoint devices, networks and web applications. Traditional solutions help meet the majority of compliance and auditing requirements – but cannot provide assurance for the data present on your website. Here’s what you can to to ensure you’re discovering all indicators of exposure before they become indicators of compromise:
Discover and track data flows: Article 30 of GDPR explicitly requires you to map out all parties that have access to sensitive data. Taking stock of where the data is going can help organizations take early steps to restrict unauthorized access to data on websites and monitor third-party integrations on a ‘need to know’ basis. Data inventories and maps provide an understanding of your risk profile and help you fix flaws proactively.
Implement strong security controls: Sensitive data exposure is #3 on the OWASP Top 10 web application security risks. Taking adequate security measures to ensure that data on your website is protected from unauthorized access can go a long way towards preventing fraud and fines for non-compliance. These measures include web security standards like CSP, SRI and HSTS – all of these have been developed and advanced by industry experts, specifically to address this problem.
How Tala helps
Tala’s patented application analysis engine discovers all the sensitive data on your website, automatically determines exposure to third party services, and alerts you to any instances of leakage. Our PII Exposure Scanning and PII Data Leakage Mapping features work with our analytics engine to enable the fine-tuning of policies that prevent sensitive data exfiltration from trusted applications. We synthetically monitor data mapping to identify sensitive data leakage, without customers having to install or instrument anything on their web apps.
We’re really excited about our new data leakage protection capability. To find out how it solves sensitive data leakage and other web application security and data integrity problems, book your DEMO today and see how you can scan for these risks, monitor exactly what’s going on with your whitelisted applications and automate the deployment of the most comprehensive set of security standards and controls to protect your data. All with zero performance impact on your website.
*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Surabhi Sinha, Product Manager. Read the original post at: https://go.talasecurity.io/blog/the-gap-in-your-ccpa-/gdpr-compliance-strategy-is-running-on-your-website
