As discussed in January’s technology feature, there is no shortage of threats to the security of the private information in the hands of your company. With incomplete guidelines for best practices, and only a small set of what-not-to-do case studies to navigate by, organizations can quickly find themselves at the mercy of private litigation, or the subject of enforcement from the Federal Trade Commission. Ignorance of data security is no longer a sufficient excuse for its compromise.
But it’s also incredibly difficult to say where or what the next breach will be. While there is a tendency to focus on the technology breach, information loss is still subject to physical compromise and malicious activity from insiders. Adnan Amjad, partner at Deloitte & Touche and an expert on security and privacy, points out that it’s not just the volume of data incidents happening, but the strategy that would be theirs are employing.
“On the energy side, for example, people at one point wanted to steal merger and acquisition information or data that was related to the assets an oil company wanted to buy. The target there was to steal someone’s due diligence efforts. The end game is still the same,” Amjad says. “Now they’re going after the scientist or the trial lawyer involved with the energy company for example. They use social engineering techniques, or phishing, or steal his administrative assistant’s passwords, then steal information on where the company might be drilling, or how much is in a particular reservoir of oil. So the risks and the vectors have changed, but the end game stays the same.”
As Todd Ruback, CEO of Evidon, said in last month’s exploration of risk vectors, “It starts with having a cultural attitude from the executive level on down through the organization around treating things properly.”
Determining who is responsible for information security and private data protection is the first essential step to achieving that mindset. The volume and vectors of data protection proliferate enterprises’ will need to come up with novel organizational strategize to combat them. Representation from a team member who is well versed in compliance standards and literate in the legal realm is essential when dealing with information security.
“In reality, there are multiple parties that have to be involved in successful data security and privacy. Solving these issues requires a multi-disciplinary approach where conventionally security was considered the realm of IT security (technical) staff,” explains James Lynn, global head of security research at IT security firm Sophos. “Within an organizations legal counsel, IT staff and business staff need to work together to communicate their approach to security and privacy, to implement appropriate controls and meet regulatory or ethical data handling.
More frequently, companies are treating data loss as its own unique problem, with a specific team dedicated to it. Many companies are now moving to model known as a “fusion core,” which combines that expertise and treats the ongoing fight against security risk not as a project but as a daily responsibility.
Amjad explains that in this configuration the “fusion core” team, “has someone who knows what the breach laws are, someone who knows how to respond to a breach when it actually happens. They have forensic capabilities and they have monitoring capabilities so when something happens, they’re not running around trying to pull everyone together across all departments. I’m not taking about a PMO or coordination committee, this is one org that is built to respond to this and everyone fits in the same team.”
As the volume and vectors of data protection proliferate, enterprises will need to come up with novel organizational strategies to combat them. Regardless of how the team is configured, inside counsel will want to ensure that someone with a knowledge of current and developing data breach law has the space covered.
What to do
Organizational structure is only one avenue of protection businesses have at their disposal. The way to combat individual threats and the mindset they adopt when dealing with data loss issues is also essential to companies’ success in mitigating the loss of their private information. Legal departments relying on outside counsel need to remain cognizant as they pass information to and from those firms.
“When you’re exchanging data with third parties, such as professional services firms, how are they protecting their data? Cyber criminals are looking for firms that store lots of information, and professional service firms are targets,” says Bill Hardin, Co- Chair of Navigant’s Global Data Privacy and Incident Response practice. “You have to ask, what protections are they, or any other vendor providing that gives you assurance?”
Hardin says that data security starts with gaining an understanding of what you are trying to protect, developing a risk profile of that information, then where and how that information travels as well as what organizations you are trading data with and finally ensuring that the proper information governance policy is in place that includes training on a frequent basis to ensure that all members of the organization can be held accountable to high security standards.
Hardin’s advice to organizations is that, “They should engage third parties to perform red team events to test the procedures and training in place.” Red-team events push the limits of data security by inviting certified consultants to attack both the technological resilience and worker resolve of an organization to ensure both are in the right place. “Have them come within the organization and do social engineering and other things to push on the training that’s been done, to ensure people are doing what they said they’d be doing.”
Social engineering and the threat of malicious insider activity cannot be understated in the data breach space, and as with the IT component, needs to be thoroughly engrained into a workforce to mitigate risks.
“Most of the focus around protecting technology assets stems from a compliance mindset, what I would encourage is to challenge IT’s traditional focus on the technology aspect of it. It’s not necessarily about protecting just your email, or your network or back office systems,” adds Amjad. “IT assets are generally 10 to 15 percent of your overall risk, there are all these other pieces that you want someone to be looking at.”
In the public eye
It is difficult to approach the topic of data security and privacy without mentioning Edward Snowden. In the summer of 2013, Snowden released classified information about U.S. government spy programs collecting untold amounts of information on citizens, alarming many, and casting the conversation around data security into the spotlight.
While the jury is still out on Snowden’s status as a hero or criminal, his story underscores the risks the enterprise is exposed to. Here you have a situation where a consultant stole sensitive information that resulted in a visceral outrage from citizens, a scenario that is not impossible in the private sector.
“I’m not seeing any tangible fallout in the United States per se yet, but the cynicism that individuals hold is starting to percolate to the surface,” says Ruback.
Similar feelings and concerns have been behind the push in the European Union for more holistic privacy laws, and it’s easy to visualize similar movements cropping up in the U.S.
Regardless of how data privacy regulations develop, the feverish pitch of public discourse will undoubtedly impact citizen’s attitudes towards how organizations collect and protect their sensitive information. The C-suite needs to evaluate their current strategies, and come up with creative solutions if they seek to extinguish those growing concerns.