For many organizations for too long, data security has been addressed as a math problem. Estimate the likelihood of a vulnerability being identified and exploited by a bad actor, multiply it by the potential cost of the event, and you get a projected risk cost.
But in today’s rapidly changing threat environment, there’s a dirty little secret to those math exercises: The negative impact of security breaches has not been terribly significant to most organizations.
At least, not yet.
As long as the cost of an event isn’t too high, executives too often felt it was cheaper to insure against potential loss than to put in place a robust, comprehensive, and agile security framework.
The math is changing rapidly. Stronger regulations are already driving up the cost of poor data security. The number of potential vulnerabilities is expanding faster than ever, and the economic, operational, and brand damage done by security exploits is driving up risk exponentially.
Watch out: The sharks are circling
If you haven’t implemented a comprehensive data security, or if you’ve ignored the growing warnings signs, you will soon realize that there are at least three rings of sharks circling:
- Cyber hacking sharks breach your meager defenses and cast your clients’ data like so much chum on the seas. You can imagine these sharks wearing Guy Fawkes masks and black t-shirts sitting in their parents’ basement in some suburb of Pittsburgh, or perhaps they are wearing some sort of military uniform sitting with many other similar-looking sharks in a high-tech bunker in some country that doesn’t like us much.
- Your very own aggrieved clients and their attorneys wearing bespoke shark suits smell blood and are ready to litigate the waters into a pink foam.
- Regulators and states attorneys general will happily swim into the frenzy and impose fines and injunctive relief to churn the waters into a frothy boil.
Enough with shenanigans
Regulators around the world are losing patience with our inability to address basic security challenges:
- UK’s Information Commissioner Elizabeth Denham, in handing out £400,000 fine for a breach resulting from an unpatched system, said a large, well-resourced, and established company “should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”
- The German Data Protection Authority LfDI’s first fine under the European Union’s General Data Protection Regulation (GDPR) was €20,000 against a company that, among other things, failed a basic security practice: “By storing the passwords in plain text, the company knowingly violated its obligation to ensure data security…”
- The FTC has written straightforward guidance on how to avoid many of the missteps made by entities it has settled with, from poor access control and weak passwords to misconfigured encryption controls and slow response to announced vulnerabilities. By using examples from real cases, the FTC is clearly naming-and-shaming — if not the entities themselves, then the poor data security practices they employed.
If only there was some legislative guidance…
Actually, there’s plenty of legislative guidance. Unfortunately, specific instructions in the laws themselves are seldom forthcoming. Some examples (emphasis added in each case):
- The GDPR, which came into full effect on May 25, 2018, requires that controllers and processors of personal data “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
- The U.S. Gramm–Leach–Bliley Act has covered data security requirements for financial institutions since it was enacted in 1999: “…each agency or authority… shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards to insure the security and confidentiality of customer records and information…”
- The U.S. Health Insurance Portability and Accountability Act (HIPAA) says that “covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified…”
- In the U.S., where there is no single federal requirement for security of privacy, individual states have come up with their own requirements. In Massachusetts, legislators enacted the Standards for the Protection of Personal Information of Residents of the Commonwealth: “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate…”
- Similarly, California legislation requires any “business that owns, licenses, or maintains personal information about a California resident [to] implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Reasonable security? Come on!
This is the point where most CISOs would tear out their hair. Where’s the actual guidance? What constitutes “reasonable” or “appropriate?”
Well, regulators and enforcement agencies have given us guidance as to what constitutes “reasonable” or “appropriate” security, and more is expected to be forthcoming from the EU Data Protection Authorities (DPAs).
In the U.S., at the federal level, regulation and guidance is typically focused on federal agencies, suppliers and contractors for the federal government, or on specific verticals like finance and health care.
- For U.S. federal agencies, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure gave clear instruction to the heads of federal agencies by requiring they use the NIST Cybersecurity Framework: The NIST Special Publication 800-53r4 provides a catalog of security and privacy controls that are to be used by US federal information systems and organizations, while SP 800-171r1 covers the same for government suppliers and contractors.
- The US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) broadcasts its intentions in an annual list of examination priorities. In 2014, the OCIE announced that cybersecurity was a priority for their examiners, and they provided a risk alert that outlined specific controls and processes they expected to find at broker-dealers and investment advisors.
- The US Department of Health and Human Services has provided guidance on the administrative, physical, and technical safeguards required of covered entities under the HIPAA Security Rule, including guidance on risk analysis and management.
U.S. state legislators and attorneys general have provided some guidance to help firms to comply with their obligations, such as Massachusetts’ compliance checklist provided for small businesses and California’s recommendations, including the use of multi-factor authentication and strong encryption, along with a call for state policy makers to “collaborate to harmonize state breach laws.”
Meanwhile, in the EU, member states and their respective DPAs have the authority to authorize Codes of Conduct “certification mechanisms,” and certification bodies. GDPR does provide some guidance, such as “data protection by design and by default,” “records for processing activities,” and “data protection impact assessments.”
What do we do with all this guidance?
I hope you get the idea that serious repercussions await should you fail to implement adequate or reasonable data security controls. If you happen to work in an industry where there’s clear guidance, then you’d obviously be negligent if you didn’t follow it.
But what about those cases where the guidance is less than complete? Regulators have made it clear that good-faith efforts go a long way, and fines or other actions may be significantly reduced if it turns out you were honestly trying to do the right thing. At a minimum:
- Make it clear that security is a priority across the entire company. This usually means you have a CISO and executive support for a security program.
- Create and maintain a comprehensive security program based on a well-known framework (like the NIST CSF, ISO/IEC 2700x, CIS 20, or COBIT).
- Continuously and comprehensively identify your critical assets (including sensitive data, intellectual property, staff, and other resources), perform regular risk analyses when those assets are involved, and tailor your security program to those risks. For example, if your cloud environment is changing daily, or hourly, be sure you can adequately monitor and measure risk through all those changes. It doesn’t matter where your assets may be – in your systems, in the cloud, or on a vendor’s system. Be sure your security program covers them.
- Document what you’re doing, and be prepared to demonstrate it.
- Test your program regularly and frequently with internal stakeholders and external experts.
- If you can, bring in an outside auditor, and get certifications you can share with clients or regulators. At a minimum, use external experts to regularly test and evaluate your program.
- Pay attention to the regulators and laws that may impact you, and learn from them (as well as from your peers at companies that clearly weren’t paying attention).
Remember, if you suffer a breach but you are able to demonstrate compliance with one or more well-established cybersecurity frameworks, fines may be lessened and injunctive relief may be reduced. CCPA even includes a 30-day period to allow a company to “cure” identified issues before a consumer may sue.
So, get out there, get a good shark cage, and keep your data safe.