29 June 2014

Trust Decisions: The Risk of a Digital Supply Chain...

Are you a business that is operating internationally?  What components of Operational Risk Management (ORM) currently intersect with your international business operations?  The safety and security of your employees who travel into countries with unstable political elements are no doubt of immediate concern.  There may even be a heightened sensitivity with whom your international business executives are meeting with and the tremendous U.S. rule-base associated with OFAC, as one example.

Fortune 500 organizations are all too familiar with these concerns, as major players in international business. The Chief Security Officers (CSO) and other key executives charged with the safety, security and integrity of employees, are focused on those who are traveling and meeting across the globe.  This is considered ORM 101.  This facet of ORM is quite mature and familiar to the Board of Directors who are charged with the Enterprise Risk Management (ERM) of the company.

What is growing more pervasive and continues to plague organizations doing business internationally is the risk of a Digital Supply Chain.  Trusted information and the confidentiality, integrity and assurance of data.  The "Genie" is out of the bottle and even the most mature and risk adverse global organizations, are continuously barraged by sudden incidents that interface with privacy and security of information.

Here is a recent example:
After a public comment period, the Federal Trade Commission has approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor.
The FTC previously announced the settlements in January, February and May of 2014 with the following companies: 
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
So what is the real underlying issue here?  It is about "Trust Decisions".

These organizations were representing themselves as compliant with a U.S.-EU framework designed and established to protect their constituents, under the jurisdiction of the Federal Trade Commission (FTC).  The decisions to trust these organizations by an individual or business, regarding the perception that they are in compliance with a framework for privacy and security, is what is true.

How often have you ever made a "Trust Decision," based upon your knowledge that a business is displaying an official seal, mark or a sign that your information is safe and secure?  There are dozens of high profile companies operating across the globe that are in the business of selling "Trust".  Symantec, TRUSTe and GeoTrust to name a few.  The reason that a business buys one of these trusted seals or marks is because it wants to increase it's perception of trust, to the consumer or business that it is engaged with to transact business.

The business wants to display that they are compliant with the particular laws or rules associated with their industry or country.  It wants to create a sense of business assurance or peace of mind for the buyer of their products or services.  When you use one of these seals to assist in making an affirmative "Trust Decision" based upon the display of one of these badges, marks, signs or even special symbols or colors; the consumer still assumes risk of the unknown risks.  So what?

So how many consumers on a daily basis do you think visit this web site to get their free annual credit report? Green Padlock https://www.annualcreditreport.com/index.action

This is the official web site advocated by the U.S. Federal Trade Commission (FTC) for consumers to get a free annual credit report in compliance with Fair Credit Reporting Act (FCRA).  When you visit this site, you see that the URL displays a green padlock and the https: designating that the site is using secure protocols to transmit your Personal Identifiable Information (PII).  Or is it?

When you test the Annual Credit Report web site with a SSL security test service, run online by Qualys SSL Labs, https://www.ssllabs.com/ssltest/ this is their rating, on the security of Annual Credit Report.com as of 6/28/14.

Overall Rating
Protocol Support
Key Exchange
Cipher Strength

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
This server is not vulnerable to the Heartbleed attack.

Q: What information do I need to provide to get my free report? 
A: You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.
On a daily basis, humans are subjected to signs, marks, badges and other indicators that help them make more informed affirmative "Trust Decisions".  Whether it is the "Green Light" at the local intersection or the "Green Padlock" on the web site where we are being asked to give up our Personal Identifiable Information (PII).  The regulatory and private entities that are tasked to ensure that the signs, marks, badges and even colors are in compliance, must also look to their own level of trust of their Digital Supply Chain.

This is just one glaring example of why "Trust Decisions" are so vital to online global e-commerce.  It is also a wake-up call for any organization that is advocating trust by using a digital third party that the consumer relies on every day.  However, the FTC and other government agencies rely on private sector companies to assist them in outsourced services such as hosting Annual Credit Report. com.  The site is hosted by:

IP LocationUnited States - Massachusetts - Cambridge - Akamai Technologies Inc.

How confident are you, that your organizations digital supply chain is ensuring safe and secure "Trust Decisions" for your customers?

No comments:

Post a Comment