Compliance and Congress – How to Build an Effective Cyber Strategy | 2019-02-07

The growing threat of cyberattacks is a huge cause for concern. According to some of the country’s foremost intelligence experts, the U.S. may encounter a massive cyberattack on the horizon. An attack of this scale is predicted to cause damage comparable to a Category 5 hurricane, where everything from vehicles to pacemakers could be compromised. The country needs to be ready – and not just the public sector. Private businesses, regardless of size, would be taking an extreme risk if the necessary precautions are not put into place.

The literal and perceptional damage caused by security breaches can be astronomic, as we have seen from high-profile leaks at Sony, Equifax and Yahoo. When developing a strategy, you have to be able to properly assess the amount of overall damage that your business could suffer.

With new legislation such as the California Consumer Privacy Act (CCPA), or AB 375 (which is similar to the European General Data Protection Regulations, or GDPR) going into effect in 2020, businesses of all sizes are working to maintain compliance and avoid security leaks at all costs.

Building A Strategy

When developing a cybersecurity strategy, there are a few important questions to consider:

How difficult is it to gain access to my company or customer information?
How much actual damage to my customers, company and/or public reputation can be caused if a data breach occurs?
Are we following best practices for protecting client data that we have been given access to?
Do we have an enterprise risk management approach? How do we prioritize risks?
Do we have an incident response plan in place if a breach was discovered?

For example, if your company has very strong network and firewall protocols that adequately deter cyberattacks, but also has access to sensitive and potentially damaging customer information – you are only implementing a half-measure.

The overall risk that your company is facing is directly correlated to the amount of damage that a potential attacker can inflict with your customers’ data, as well as the public image of your company due to negligence, noncompliance or plain bad luck. In fact, the perception of an insecure network or known negligence toward securing customer data can do as much, if not more, irreparable damage to a company or brand than an actual security breach.

What many small to medium-sized businesses underestimate is the amount of information that they actually have from customers, and how the push to cloud-computing is only adding to the complexity of properly securing sensitive information. The more companies utilize cloud-based services to record transactions, financial data, personal preferences, search histories and medical records, the more devastating a security breach can be.

Getting Compliant

A single leak can bring down even the largest and most powerful of companies. Once the trust of the customer is lost it is exponentially more difficult to regain it. With this in mind, companies of all sizes need to take the necessary steps to not only be compliant with legislation, but also be proactive in developing systems that can defend themselves from claims of negligence. Being compliant does not always equate to having a defendable due diligence security posture.

Small businesses are going to be among the hardest hit by regulations such as GDPR and CCPA becoming more commonplace, and I fear that noncompliance due to lack of resources could be a serious issue. When having an online presence and customer database is essentially required for any business today, many smaller operations do not have the available resources to become compliant, or may not even identify that their business would require changes due to new regulations.

So, what options does an organization have if they are not already preparing a cybersecurity strategy or do not have an in-house team? Quite a few, actually. These options start with asking the aforementioned questions, and then by asking the following to determine which parts of the system or processes need the most attention:

Are the security risks being quantified? Is there a network security issue?
What type of information is being transmitted or collected? Is data classification used?
What is your encryption policy? How encrypted, if at all, is the stored data?
Do all of your employees with access to client data know your cyber-protection practices? With this question it is important to note that phishing is the largest threat vector, accounting for around 95% of all security incidents.
Are those security basics in place?
How well is “cyber-hygiene” managed?

All of these questions can be answered by cybersecurity experts who help determine the level of attention required for each aspect of a compliant cybersecurity strategy. One size does not fit all in the world of cybersecurity. Determining potential vulnerabilities is different for every operation, and will vary in complexity based on the type and quantity of information that is associated with the business.

In addition to professional assistance, there are a few best practices that a company can implement to improve their privacy policy, as well as customer and visitor notification policies.

Being transparent when using cookies on your website.

Have a consent statement “pop-up” on your website explaining not only that your website uses cookies, but how your organization is using that information. The statement needs to notify the visitor that your website uses cookies, how to change their settings to deactivate them and explicitly say what the cookies are used for. A great resource for creating a consent statement can be found here.

How you are monitoring visitor behavior.

In the same vein as the cookies notification, simply stating that you collect personal data is no longer adequate. Within your privacy policy you have to let your users know exactly what data you collect and process.

Notification of the sharing (but never selling) of your customer data.

Notifying a web user of data sharing is typically seen when a company has user data that is then shared with a third-party partner. For instance, an organization that collects user or member data may then share it with “authorized partners” that facilitate a better experience for the users. Having this stated in a privacy policy and consent statement, along with acknowledging the compliancy of all “authorized partners,” is highly recommended.

Regardless of industry, size or revenue, a cyber strategy is absolutely required because the more interconnected everything becomes, the more vulnerable we become to cyberattacks. With increased vulnerability comes more regulations. Businesses and organizations will need all the help they can get to ensure data security and compliance with future regulations.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?