Headlines on data breaches can conjure images of a room full of “black hat” hackers actively working to penetrate your network and steal your data, hold your systems for ransom, and leave you helpless. It’s easy to imagine considering that breaches are reported nearly daily, and they are estimated to cost $600 billion in 2016.[1] But honestly, that’s an unlikely scenario, since only 37 percent of data breaches are caused solely by actual hacking.[2]
Issues with cybersecurity and data breaches also tend to be associated with large global brands and other high-risk organizations. They are perceived in the market as big company problems, but the fact of the matter is, an estimated 70 percent of all companies have been breached – the majority of them just don’t know it yet. The companies of specific concern are those with executives who swear that they’ve got the best security and can’t be breached.
Government agencies, which host millions of confidential records, tend to have robust layered security and top-of-the-line security protocols, and they still regularly fall victim to cyberthreats. Take, for example, the Office of Personnel Management (OPM), which handles millions of employee and contractor records; OPM was breached in June 2015, resulting over 20 million compromised records. Upon investigation, it was identified that the breach was due primarily to lack of compliance with some basic tenets of IT security, such as using weak user names and passwords. It was noted that “The majority of things that were hitting OPM at that time [were] going to be your typical phishing scams.”[3]
If large companies and federal agencies with large information security budgets fall victim seemingly daily, what is a small company with limited resources to do? Is this a lost cause? No, especially when you consider that 46 percent of data breaches arise from employee or third-party malfeasance, error or neglect[4]. There are steps – relatively basic management and control procedures – that organizations can take to address key cybersecurity risks and don’t require a huge capital outlay.
Security Awareness:
The best way to address the risks associated with employee errors and neglect, which account for 28.6 percent of breaches,[5] is through comprehensive security awareness training. This training should be a combination of classroom instruction and empirical examples to reinforce learning. Advanced training – including key tenets of information security, phishing or hacking scams, and data encryption – should be provided to those with access to confidential and proprietary information. Information security needs to become part of the culture of the organization; when changing processes or on-boarding services, someone should be asking, “What is the information security impact of…”
Information Security Program
In addition to security awareness, companies need to maintain a comprehensive information security program. This sounds highly technical, but the basic concepts are understandable. These are the key aspects of an information security program:
- A comprehensive risk assessment over the IT environment
- User and administrator authority and access controls
- Password complexity and industry best practice password configurations
- Firewalls, intrusion prevention services and intrusion detection services
- Data classification, segregation and encryption
- Remote access provisions, including a virtual private network for remote access and bring your own device protocols
Information security parameters and organizational awareness may be assessed and reinforced by security vulnerability assessments and penetration testing, which include specific tests designed to exploit security weaknesses. These efforts should also include social engineering components to test how employees react to common phishing scenarios.
Data Encryption
In transit:
Data is in transit when it is sent and received across a network. In the absence of encryption, the data can be intercepted by someone else on the same network. On a wired network, that could be someone with the ability to tap a cable and eavesdrop on the data stream traveling across the network, or fool your computer to redirect the data to them. On an unencrypted wireless network, all they need is to be within range.
Both wired and wireless networks can be protected from unauthorized snooping by encrypting all traffic. Encryption in transit should be mandatory for any network traffic that requires authentication or includes data that is not meant for public viewing. There is no need to encrypt your public-facing website; however, if you expect customers to input private information, you should use encryption to protect their privacy while they access your site.
At rest: Data is at rest on any type of physical storage media. Encryption of data stored on media is used to protect the data from unauthorized access should the media ever become lost or stolen. In the event that storage media becomes lost or stolen, encrypted data on the media remains inaccessible without possession of an associated digital encryption key. Encryption at rest should be mandatory for any media that may end up leaving the physical boundaries of your protected infrastructure. USB flash drives, backup tapes, external hard drives and the hard drives of all laptops should be encrypted without exception. To protect data residing on your servers against users with ill intent or vendors, you should encrypt all server hard drives and other associated storage media. By encrypting server hard drives and associated storage media, you don’t have to worry about ensuring physical destruction to ensure that your customers’ and company’s data is secure in the event of a drive or other associated media being removed from the server.
Encryption is important to mitigating the damage caused by data breaches, in complying with privacy and data protection regulations, and in preserving brand and reputation. The costs associated with implementing and managing encryption solutions have come down significantly. With encryption in use while data is both in transit and at rest, data can be protected from unauthorized access. With the prevalence of unencrypted internet access, and the loss and theft of IT assets today, using encryption should be the generally accepted norm.
Vendor Risk Management
Vendor risk management is the process of administrating third-party services to ensure that the company maximizes its value and minimizes its risk from those service providers. This is accomplished through implementing a vendor management process. For a vendor risk management process to work effectively, the organizations’ culture must include an understanding of risk and general awareness of the company’s risk appetite. There must also be identification of relationship owners and involvement of all relevant stakeholders to ensure both accountability and objectivity. If the above are present and functioning, the phases outlined below comprise a comprehensive approach to vendor risk management.
- Planning
- Stakeholder identification
- Risk assessment
- Needs analysis and scope definition
- Identify potential vendors
- Due diligence to obtain and review
- Company history
- Reputational and financial standing
- Risk management program
- Information security practices
- Service organization controls (SOC) reporting
- Business continuity and recovery plan
- Any use of sub-contractors or sub-service contractors (fourth-party vendors)
- Contracting
- Leverage a service level agreement, use clear, unambiguous language
- Define scope, timing and fees for the arrangement
- Document data confidentiality responsibilities
- Determine any performance measures and/or benchmarks
- Incorporate internal control monitoring requirements (e.g., SOC report, right to audit)
- Data ownership and turnover provisions
- Monitoring
- Risk-based process
- Replicate due diligence procedures for high-risk areas, such as SOC reporting, SLA performance monitoring or stakeholder performance assessment
- Termination
- Notification of termination
- Secure data transfer
- Confirmation of termination
This year will not bring an end to data breaches and cybersecurity threats; it is highly unlikely that 2017 will be the year cyberthreats end either. However, with a sound information security program, risk appropriate data encryption and a comprehensive vendor management program, a company can reduce the risk of becoming the next headline worthy data breach and the estimated $3.8 million price tag associated with it.[6]
[1] Forbes The Best Practices In Cyber Security For Small-To-Medium-Sized Businesses
[2] idtheftcenter.org, ITRC Breach Statistics 2005 – 2015, 2015 data
[3] http://www.npr.org/sections/alltechconsidered/2016/06/06/480968999/one-y…
[4] idtheftcenter.org, ITRC Breach Statistics 2005 – 2015, 2015 Data
[5] ibid
[6] http://www.ponemon.org; Cost of a Data Breach 2015
Russell Sommers, a senior manager at Baker Tilly, can be reached at russell. Dennis Schaefer, manager of technology risk and regulatory advisory at Baker Tilly.
You can reach the authors at russell.sommers@bakertilly.com or dennis.schaefer@bakertilly.com with any questions about the article.
Leave a Comment