Security incidents, loss of customer data, exposure of confidential corporate assets, demands of ransom, and similar stories are becoming daily headlines with the impacts being felt across a wide variety of industries. We hear it every day. One need not go looking in the history books for examples of significant and costly breaches of sensitive data maintained by companies and other organizations. There are a plethora of large scale and wildly divergent security incidents occurring all the time:
- In January 2017, a company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices was hacked exposing nearly a terabyte of sensitive corporate data, including information on its customers, its phone-cracking technology and other sensitive information about the company’s products.
- In May 2017, it was reported that the online education platform was breached, exposing the records for at least 77 million accounts, including usernames, email address, and hashed passwords, all of which went up for sale on the dark web.
- In July 2017, it was reported that the customer records for at least 14 million subscribers of a telecommunications company, including phone numbers and account PINs, were exposed.
- In 2017, millions of computers worldwide were subject to the WannaCry ransomware attack, considered to be one the largest ransomware attacks of its kind, impacting the data of companies worldwide.
In addition to the foregoing, the CIA, Yahoo, Equifax, the TSA, US Airforce, a national air carrier, and a global audit, consulting, tax, and advisory service provider, a web performance, content delivery network, and Internet security services provider have all been subject to highly publicized cybersecurity breaches, and there appears to be no end in sight.
When a security incident strikes, we are all victims; both the data subjects and the companies that have been breached. Each of these incidents, and the many others serve as a constant reminder of the harm to both individuals and companies that security incidents can cause. As a result, companies looking to avoid having their name added to the ever-growing list of cybersecurity breaches should consider reviewing and revising their existing security practices and protocols.
While the importance of cybersecurity has certainly risen in prevalence over the last decade, in both the public and private sector, a number of myths still permeate common perception. These myths have created hesitance in the boardroom to take more proactive measures toward enhancing their cybersecurity efforts. Hopefully, by debunking some of the most common myths, organizations can, once again, focus on making the company more resilient to security incidents.
- Myth #1: “It’s all about the data”
- Security must be designed to account for not only the protection of the data or information (including a company’s intellectual property), but for the information system itself (including the people that monitor and access the system). Security should be approached from both a holistic and segmented perspective. By focusing only on certain components, or the data, the entire system will be left vulnerable, which ultimately leaves individual segments and data susceptible.
- Organizations also need to consider the reputational harm as a result of the breach. In the U.S., indirect costs, including lost business, the cost to attract or retain customers, and the loss of confidence in a company often accounts for two-thirds of the cost of a data breach.
- Myth #2: “It’s all about confidentiality”
- Confidentiality of information is only one element. What is equally important is the integrity and availability of the information. The integrity of the information aims to ensure that the information has not been altered, maliciously, accidentally, or due to a system error and the availability of information aims to ensure that the information is available when needed.
- Myth #3: “To be a hacker, you must be a technology genius”
- Vast information and resources exist that allow even technical novices to “hack” systems. Not all hackers are former technology geniuses gone rogue. The average vulnerability has been known for more than 10 years and exploits are easily obtainable, contributing to availability of “script kiddies” and other average, ordinary, individuals ability to contribute to security incidents.
- Myth #4: “It’s an IT Department issue”
- The IT department may be responsible for devising the security mechanisms to guard against external threats, but cybersecurity is an enterprise-wide issue that requires buy-in and direction from the board and upper management. Increasingly, board members are held responsible for neglecting their fiduciary duties when they ignore cybersecurity in their organization. Even if the IT Department implements strict safeguards, the strongest procedures will fail if employees are not educated on the important of security “hygiene” as security is only as strong as its weakest link.
- Myth #5: “I can achieve (need) 100% security”
- While there is no one-size-fits-all approach to security, it is also impossible to achieve 100% security. One study estimated that an organization that wanted to achieve the highest possible level of cybersecurity, which itself was only capable of repelling 95% of the attacks, would have to boost their spending on cybersecurity nine times. The study also found that in order to just to be able to stop 84% of the attacks, organizations would have double their investments in cybersecurity.
- As security protections are increased, the usability of the secured system decreases, and vice versa. Even if it was possible to stop 100% of the attacks, the system would not be usable for its intended purpose. Therefore, organizations should appropriately balance their security efforts with usability, and focus on managing the residual risks that remain after their investments.
- Myth #6: “I’m safe. I have great security.”
- The biggest myth of all is the false belief that an organization is safe because it has “great” security. Thousands of new viruses and exploits are developed every day. According to an Imperva/Technion-Israel Institute of Technology Study, the initial threat detection (zero day) is only 5%. According to a Verizon Study: 83% of intrusions took weeks or more to discover. According to a Trustwave Holding Study, the average time to detect an intrusion is 210 days.
While security incidents due to hacking receive most of the attention in the headlines, in reality, data breaches occur daily due to a wide number of causes. Thus, a reasonable security program must be well-developed to guard against external hackers, but it is also important to keep in mind the impact of everyday actions, including, one of the biggest threats facing companies today… the risk from internal people and sources. This includes those rogue employees and malicious “insiders” who have access credentials and knowledge of company’s confidential information as well as the everyday employee who carelessly clicks on a link or sends a file outside the organization in response to a phishing incident.
While there is no such thing as perfect security, there are a number of best practices that organizations should implement and principles to be mindful of to help mitigate the risk of a security breach. This includes the development of internal policies to protect confidential information, including personal and sensitive information, along with intellectual property. On a macro level, the most effective protocols are those that: (1) restrict access to the information (i.e., via comprehensive network security), (2) limit the number of people who know the information and have those people sign non-disclosure or confidentiality agreements (i.e., employee agrees to confidentiality as part of their employment agreement; third parties and business contacts sign NDAs), and (3) mark any written material pertaining to trade secrets or protected IP as confidential and proprietary and/or follow-up in writing if there is a verbal disclosure. The following are additional considerations and suggestions for a more effective cybersecurity program:
Common Components of Effective Security Policy Programs
- Be aware of Federal and State requirements; tailor privacy policies as applicable.
- Designate people responsible for security in the organization.
- Conduct security training for employees.
- Take reasonable steps to ensure vendors/service providers protect data.
- Consider minimizing data collection.
- De-identify where possible.
- Conduct a privacy or security risk assessment initially and periodically thereafter.
- Consider encryption, particularly for storage and transmission of sensitive information.
Ten key elements of a cybersecurity risk management program
- Incident management
- User education and awareness
- Managing user privileges
- Manage home and mobile computer working environments
- Removable media controls
- Malware protection
- Monitoring
- Secure configuration
- Network security
- Cybersecurity insurance