When it comes to privacy and security, new challenges and risks are constantly exploding onto the scene. Here’s what our expert roundup designates as the key issues and best practices of 2019.
People are increasingly bringing their IoT devices—everything from Fitbits to Alexa devices—into the workplace, often without telling security staff, notes Rebecca Herold, CEO and founder of The Privacy Professor consultancy and a 3M privacy consultant. “These IoT devices are collecting data and sharing it in cloud locations and you have no idea how they’re being secured or what’s being shared,” she says.
Last year’s arrival of the EU’s General Data Protection Regulation (GDPR) has created new challenges for enterprises who are subject to it, says Andrew Shaxted, senior director of information governance, privacy and security practice at FTI Consulting. GDPR mandates that organizations in certain circumstances have a data protection officer (DPO) to spearhead compliance, but employing a DPO can be difficult and costly. “It’s almost a unicorn of a role,” Shaxted says. “You need somebody with the chops of a lawyer, some computer science knowledge, an ability to coordinate large organizational change, awareness and education in the workforce and an ability to talk to regulators too.”
Lack of U.S. Regulation
The United States has no federal regulations, and U.S. states are just beginning to develop their own laws, such as the California Consumer Privacy Act (CCPA). “What we’re seeing now is essentially a patchwork of U.S. state privacy law with analogous and extremely onerous requirements, administrative penalties and private rights of action,” Shaxted says. “Under CCPA, there’s no data protection officer requirement, but ultimately, you’d need some individual or group of individuals to properly oversee and implement the obligations as written in these privacy laws.”
“We really don’t have regulation that addresses security and privacy properly,” says Diana Candela, associate director of security and privacy at Protiviti. “It’s mainly because there’s a lack of understanding of what privacy and security actually mean and what the role of security is in terms of privacy.”
“The biggest potential legal risk is how do you, and how can you—and even can you—comply from a business standpoint with all of those various state statutes and governances around these very critical issues,” says Roy Hadley, special counselor and head of cyber and privacy practice at Adams and Reese LLP. “There’s going to be this plethora of regulations out there and the expense of trying to comply because there isn’t any overriding federal legislation is going to be more and more burdensome on businesses.”
Along with the expected appearance of new state privacy laws, “there are existing laws and regulations that continue to evolve and expand their requirements, like breach notice laws, so you have to keep up with all of the updates as well,” Herold says.
Many enterprises use third-party vendors and contractors, but contracting out activities that involve your client, customer, patient and/or employee data creates risks, says Herold. “What most organizations don’t realize fully is that when they’re giving third parties access to all this data, they aren’t giving up their responsibility to ensure that those third parties are meeting the obligations of the organization.”
“Plans are only as good as your ability to execute them, so if you have a plan and you’re not doing a tabletop or practicing that plan at least two or three times a year, that’s a problem,” Hadley says. “The time to figure out how you’re going to react under live fire is not when the bullets are flying by your head.”
“Test your incident response plan or business continuity plan,” Candela says. “You need to know where you fail. Start simple—do a tabletop. And then you can just get creative from there and do more fancy testing until you can do your full-blown production transfer.”
Look at your backups as well, Hadley advises. Where are they stored? Are they air gapped so they won’t get infected? He’s seen clients lose their data either because they never tested data restoration before an issue occurred or because they didn’t take precautions to prevent infection.
“Another risk is the manufacturing of components that we use for all of our fancy devices, including those that are used in our military systems,” Candela says. “In terms of national security, do we know who is making our chips, for example? What’s in the chips? How do you sort all that out with all these emerging technologies that are moving so fast?”
Between all the new threats from hacking and malware, “it’s almost a full-time job to stay on top it all,” says Herold. “What complicates this is all the new technology, which brings additional new threats and vulnerabilities. You have to learn something new every day if you want to be effective. The folks that fail at their responsibilities are the ones that don’t open themselves up to continuous learning. They stick with what they know, and then suddenly they’re lost with all these new things.”
Unclear or Impractical Policies
“You may have written a policy that’s perfect, but can you actually do what that policy says?” asks Candela. Along with that, policies need to be written clearly “so that everybody across the organization can understand what the policy needs them to do. If you write the policy in super tech-y speak, you’re going to have a variety of people not understanding what you mean and that adds extra risk,” she says.
- Educate your organization. “A culture of security will collectively help make your organization more resilient to an attack, and if an attack happens, give you the ability to control it, segment it and recover quicker,” Hadley says. For example, teach employees to validate emails before acting on them, to back up systems and test the backups and how to use two-factor authentication. “All of these things together create that culture of security because there is no one magic bullet,” Hadley says.
- Never stop learning. “If you’re a security professional, you have to accept the fact that you must continue learning,” Herold says. She recommends joining privacy, security and compliance associations. “Not only do you get their publications and resources, when you start communicating with your professional peers, you learn what others have experienced, their challenges and how they resolved them or what led to breaches and so on. It’s a very important way to keep up-to-date.” Consider listening to podcasts and webinars to stay current too.
- Employ manual processes. “Clients often don’t have provisions for manual processes in their security plans,” Hadley says. “Do you have a paper copy of the phone tree you’re supposed to call somewhere so if the systems truly are impacted and locked up, you can actually call? In a real-world breach, things are moving fast, and you can’t always rely on just the norm.”
- Use two-factor authentication. “Organizations need to use two-factor authentication and encryption much more—that would significantly cut down on breaches,” Herold says. “If you have two-factor in place, that eliminates a lot of issues,” agrees Hadley.
- Go back to basics. “For those of us who’ve been doing this for a while, we really do forget those basics,” says Candela. “Are you really doing the absolute basics that you need to do to secure the systems? You’re not going to prevent a data breach—you’re not going to even know you had a data breach—unless you’ve got those very basics sorted out.”
- Consider your third-party policies. “Make sure you have a good vendor, security and privacy oversight program. Don’t assume that they have strong security controls because most of them don’t and your responsibility follows the data. You need to do your due diligence because an increasingly large number of breaches and security incidents are occurring within third parties,” Herold advises.
- Have a holistic mindset. “You’re never going to be able to stop every threat, so you’ve got to have this holistic mindset of security that makes your data harder to breach. If you are breached, the damage is going to be less and you will be able to recover quicker because you’re doing all this hygiene around security and privacy that makes you a much more resilient target,” Hadley says. “You’re never going to be bulletproof, but you can be bullet-resistant.”
- Don’t forget physical security. “Security professionals from all sectors need to address three areas of information security—administrative, technical and physical,” Herold says. “Too many organizations focus on just administrative and technical without addressing physical. Especially now that we’re in a mobile society, people are traveling and working remotely.” A frequent traveler herself, Herold says she can often read sensitive emails on other people’s screens in a variety of places. “A privacy filter on your screen helps,” she says. Employees should also be aware of how loud they’re talking, says Herold. “I’ve heard so much sensitive information over my career in airports, restaurants and elevators. That’s a part of the security and privacy program, or it should be.
Want more information? Check out these expert-approved resources.
- Information Systems Audit Control Association (ISACA)
- International Association of Privacy Professionals (IAPP)
- Information Systems Security Association (ISSA)
- ASIS International
- National Institute of Standards and Technology (NIST)
- American Legislative Exchange Council (ALEC)
- National Conference of State Legislatures (NCSL)
- GDPR official site