On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) announced an update to its cybersecurity guidance that was first introduced in 2011 regarding a public company’s disclosure obligations related to cybersecurity. “SEC Issues First Civil Penalty for Failure of Data Breach Disclosure”
Actionable Tips to Prevent Data Breaches
Feeling safe about your organization’s personal data because of encryption standards? Don’t fool yourself into a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation at the top levels down. In IBM’s Security Services 2014 Cyber Security Intelligence Index, which analyzed cyber-attack and incident data, more than 95% of all incidents cited “human error” as a contributing factor to the attack.
The list of potential human error risk factors is longer than expected:
- Administrator system misconfiguration
- Not updating systems appropriately
- Not managing system patches
- Default password usage
- Default user ID usage
- Lost devices
- Misplaced devices
- Unlocked devices
- Incorrect disclosure procedures
Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error.
1. Education from the Top Down
This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing risks.
The development of policies and procedures on how to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is essential in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.
2. Hire Well
Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization, while trying to implement security controls. When recruiting individuals, management should be certain that employees understand the concepts behind both breach prevention and management in the event that a breach does occur.
In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.
3. Develop an Exit Strategy
It is just as important that employees are educated in cybersecurity as having an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.
4. The Less Data, the Better
Since cyber criminals can only steal information that an employee or organization has access to, one of the major ways to minimize risk is to limit data availability:
- Reduce the amount of employees that have access to at-risk information.
- Don’t collect information that isn’t relevant to your business.
- Reduce the number of places where data is physically stored.
- Only grant data access on an as-needed basis, and revoke access as soon as information is no longer necessary.
- Purge data early and often!
You prevent data breaches by minimizing the amount of access that individuals have to data.
5. Purge Your Data Properly
It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.
Too often, employees think that they are getting rid of all of their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.
6. Monitor Your BYOD Programs
BYOD or Bring Your Own Device, is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations have moved to this type of program so that employees are able to use technology that they have a better understanding of. This reduces training time and increases productivity.
However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.
In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.
By implementing strong BYOD policies that force employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:
- Password and device-encryption requirements
- Update and patch requirements
- Lost or misplaced device notification for emergency response and remote data-wiping
- Utilization of tracking software
- Establishment of secure app workflows
- Anti-malware software
- Jailbreak prevention
- Device partitioning
The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.
7. Secure Your Networks
Employees are constantly on mobile devices these days, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”
Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.
8. Update Software with All Patches and Updates
Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions.
9. Develop “Appropriate Usage” Guidelines for Company Technology
Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.
10. Hold Outside Vendors to the Same Standards
By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations, or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach. At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.
11. Prepare for the Worst
Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen.
While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.
12. Test Out Your Disaster Management Plan
Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it is a reality.
13. Audit Your Organization Regularly
By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.
14. Notify Early and Appropriately
If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.
The sooner that your team is able to response to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.
Author: Greg Johnson, Vice President of Business Development at A-LIGN.
Data breach was alive and well in 2015 with some of the largest breaches in history occurring last year. The Office of Personnel Management (OPM), or in other words our Federal Government, was hacked to the tune of 21.5 million records. 80 million records were hacked from Anthem by a Chinese hacker group known as Deep Panda. Just two weeks ago, Alliance Technical Services of Huntington Beach was hacked.
Surprisingly, I have seen a downward trend since 2013. The data in this article, it should be noted, was taken from the Privacy Rights Clearinghouse1. The PRC has been tracking publicly reported data breaches since 2005, and has grown to encompass data approaching one billion data breaches.
It should also be noted that the data from the PRC is representative of what I believe to be only just that – a representation – of data breaches in North America. These are only those which were publicly reported. In a previous company, I interfaced with compromised merchants for many years, and in researching previous data breaches found that some are not in this data set. Hence, these numbers are not all encompassing. I believe however the trends I found are representative of the larger data set.
Key Data Points
Here are some highlights of the data I reviewed from 2015, along with comparative data from 2013 and 2014, followed by the actual numbers as well as a graphical representation by category.
- Total data breaches tracked for 2015 equal 201. The surprising factor is that this is slightly less than a third of data breaches reported in 2013, which topped 623. Not to be deemed coincidental, 2014 also showed a marked decrease, down to 297 total breaches from 2013, thus showing a steady downward trend.
- The data set includes General Business (BSO), Financial and Insurance (BSF), Retail/Merchants (BSR), Educational Institutions (EDU), Government and Military (GOV), Healthcare (MED), and Nonprofit Organizations (NGO).
- Data breach in the general business category remained relatively constant from 2013 to 2015 (this excludes Retail/Merchants and Financial/Insurance services.)
- Merchant and Healthcare breaches experienced dramatic decline.
Breach numbers by category:
Any data breach is one too many, and clearly too many still occur. It is encouraging however that breaches in key merchant and healthcare sectors seem to be in decline. Perhaps this is due to maturing PCI and HIPAA guidelines and practices, as well as enhanced security awareness and buy-in.
To continue this downward trend, businesses would do well to ensure the following on an annual basis:
- Arrange for an annual penetration test from a qualified, experienced security company.
- Implement a written information security policy which includes firewall policies, firewall change and access control, incident response and succession contingencies.
- Become compliant with applicable compliance guidelines such as PCI, HIPAA, SOC, ISO 27001, and others. This may involve hiring a qualified entity to perform a readiness assessment or provide consulting.
- Hire or contract with information security personnel to develop a culture of cyber security.
Will 2016 bring a continued reduction in data compromise? The above will not guarantee it, but will make it more difficult for malevolent parties to find low hanging fruit. What about the expanding mobile universe? A year from now my article may be very different – hopefully the trend continues.