Privacy issues have long been a big concern when it comes to cybersecurity, but with major security breaches like the one Target experienced in December 2013, staying ahead of security threats is becoming more and more difficult. According to a USA Todayreport, the retail industry is particularly vulnerable due to its billions of transactions each year in which financial and personal data are collected, but no business is immune. Here, experts weigh in on steps you can take to improve your security in cyber space.
Make Sure You Have Fundamental Security Controls in Place
The best place to start with fundamental cybersecurity is to make sure you know where your most important assets are in terms of information, document them and come to an agreement with what level of controls make sense, says Jake Kouns, Chief Information Security Officer at Risk Based Security. “You don’t need to put some massive, complicated policies and procedures in place that strangle the business. Work with your management in the organization to figure out where your most important assets are and what you need to do to control them.” Once you do that, “a lot of the fundamentals really come to maintaining systems, ensuring that security patches are installed, and making sure that servers and desktops and applications are configured properly with security in mind,” says Kouns.
Don’t ever use default settings for hardware and always install updates for your software. “Things like Plug and Play are great for the user, but it’s also great for the attacker because they’re able to easily use the default settings to take control and do malicious things. Whether it’s your home or your business, once you install something, you need to make sure it’s configured securely. If you use the default settings, the attackers have those too. When you install a default, it’s not secure,” Kouns says.
Understand Data Life Cycle
“It’s really important for any company, no matter what sector of business they’re in, to understand data life cycle. That’s how data comes into the organization, how the data is stored and maintained once it’s in the organization and who has access to it,” says Matthew Meade, co-chair of the Cybersecurity and Data Protection Group at Buchanan, Ingersoll, Rooney PC.
“For example, if I’m working for the ABC Company and I get an email with 10,000 Social Security numbers on it sent to my email box at the company, how is that data stored once it gets in the system? Does everyone in the company have access to that file once I get it? When you’re done with the data, how do you destroy and get rid of it? You need to understand the data you collect.”
A common problem Meade has found that companies do not understand everything they have within their system that may be vulnerable. “They may have documents that are years old that have Social Security numbers in them that no one uses anymore, but they still have them and if someone got access to it, it’d be a problem,” say Meade. Take steps to identify what data you collect, how and where it’s stored, what you may have lying around in paper form, who has access to the data and how the data is destroyed.
Have a Breach Response Plan
In the event of a breach, you need to have a written plan to take immediate steps and know who is going to analyze the problem, who will notify the people impacted by the breach, and who you can call for help, among other things, says Meade. Kouns also believes a breach response plan is key. “Breaches are becoming commonplace, and companies need to be prepared to deal with these events. It’s not so much is an event going to happen to you,’ it’s ‘when an event happens to you, how are you going to respond and deal with it?’ That whole breach response incident management can go a long way. Now the government is fining companies for not having security in place and not notifying affected customers, so you can really reduce those potential financial damages if you have a plan in place to respond appropriately and clean that breach up,” he says.
Look Into A Written Information Security Program (WISP)
The object of a Written Information Security Program is to protect customer privacy and data. Currently, Massachusetts is the only state to require a WISP; their law states that regardless of where a company is located, if it maintains personal information about residents in Massachusetts, it has to take certain steps to protect and secure that data. “Even if a company has no customers or data from anyone in Massachusetts, putting together a WISP is considered best practice,” Meade says. There are many sample WISPs online, including a guide at mass.gov, to help get you started.
Know Your Vendors
“One of the key takeaways from the Target breach is to know your vendors,” says Meade. “When you provide data to third parties or give them access to your network, you still have to protect and secure your data. You need to carefully evaluate and understand anyone who has access to your network and anyone you are providing data to.” If a company uses a vendor to process or analyze data, for example, if there’s a breach of that third party, it’s still the hiring company’s responsibility to give notice to the people who are impacted by that breach. Meade recommends that in any agreement with a third party who has access to your data, you should make sure they are obligated to give prompt notice upon discovery of a breach. Also, determine whether or not they will cover the costs involved with a breach if it’s their fault.
Attacks Are Not Just From The Outside
You’re not just protecting yourself from the outsider hacking in, says Mark Tanner, President at Arixmar, and Director of Homeland Security Solutions. Often, a hacker will get in using an insider’s credentials and start exfiltrating files or stealing information from the inside. Tanner recommends real-time, continuous monitoring of your network so that atypical behaviors can be observed. “You can create models and patterns of people’s normal behaviors based on their roles and responsibilities, and you can develop algorithms and apply some technologies to discover abnormal behavior,” he says.
Evaluate Encryption
An extremely common way for a security breach to occur is when laptops or jump drives are stolen. Encryption can help prevent privacy and security breaches. “If I accidentally send you an email with all sorts of info about my clients, but it’s encrypted and I ask you to destroy it, that wouldn’t be a data breach because the idea is, if it’s encrypted, you couldn’t access it unless you had the encryption key. The same principle applies for a laptop. If a laptop is lost or stolen with encrypted data on it, if somebody finds it, they can’t get the data because it’s protected by encryption. To the extent that you can use encryption to protect and secure personal information, you should,” says Meade.
“In general, encryption is one of the best controls that a company can implement to protect their data,” Kouns says. Be cautious though: “Encryption is a great security control, but finding and implementing the right solution very much depends on the maturity of the IT department and their budget. If our clients have a solid IT department with technical skills, they can use TrueCrypt, as it is a free, open-source encryption solution. However, we recommend that companies that do not have the proper IT support work with someone that can help them plan and implement encryption properly. If encryption is implemented improperly, it may still protect the data, but it could also make the data inaccessible to even approved people at the company, causing serious issues,” he says.
Train All Your Employees in Privacy Issues
It’s important that all employees in the company receive training, not just managers, says Meade. Everyone in the company needs to understand the records and documents that contain personal information and how to safely and securely deal with them. “I did training for a big company, and they asked if they had to bring the janitors to the training. I said ‘absolutely,’ because who is going to see a box of records that have Social Security numbers on them sitting in a dumpster? There needs to be top to bottom understanding of what it means to comply with data security and privacy. Training is really important, and it’s not just two minutes,” he says.
Consider Cyber Liability Insurance
Kouns recommends looking into cyber liability insurance. If you have the insurance, “in the event of a data breach, you’ll have financial recourse and a partner to help you respond to these breaches. I tell companies to take it seriously as a potential risk management solution,” he says.
The bottom line: “Look at your company, look at what you’re doing, look at your exposures and pick the ones that are most likely to lead to some kind of compromise or breach. Prioritize. Figure out the risks and your most important assets and put the controls in place there,” Kouns says. “Every company has sensitive information, whether it’s a customer list or the secret sauce that’s in their product, so they should take steps to protect it appropriately. You can’t be completely secure, just like you can’t be completely secure when you go out and cross the street. You could be assaulted or robbed or hit by a car, but you can take reasonable precautions to make sure that doesn’t happen,” says Tanner.
Cybersecurity at ASIS 2014
At ASIS 2014 cybersecurity is more than just a one-sided conversation about data. It cuts across the business as a whole and can affect corporate reputations and individual privacy. The session “Mitigating Risks to a Company’s Reputation” will explore how reputation risk can rapidly cascade throughout an enterprise to immediately produce adverse effects on value, supply chain relationships, consumers, revenue, share price and market position. Hear examples from a panel on “The Convergence of Crisis Management, Business Continuity, and Organizational Resilience” as panelists describe enterprise risk management and how to integrate physical and IT security with emergency response and business recovery. (ISC)2 will present “Incidents Are Against Our Policy: Conflicts Between Good Infosec and the Forensic/e-Discovery Process” that will address how companies can protect data when incidents, accidents or litigation results in a large-scale digital forensics or e-discovery collection. Visit www.securityexpo.org to preview these and more than 200 other educational programs in 20 topic tracks.