Recently I traveled to Los Angeles to speak at a NetDiligence Cyber Risk and Liability conference on a panel focusing on technology to mitigate risk. I was eager to attend and speak at this conference since the area of data breach clean-up is a field that I rarely come in contact with. In our organization, we spend much of our time consulting with companies who are attempting to prevent a data breach or meet compliance by implementing encryption and key management technology, and rarely are we involved in any post-breach scenarios involving breach forensics, insurance payouts, or litigation.
From speaking to attorneys who attended this conference, this is what I learned: Executives don’t treat their data as an asset that needs to be protected as a part of governance and risk mitigation. This is a pervasive issue that is exemplified in highly publicized data breaches that seem to occur on a weekly basis. Negligence around data protection, I believe, simply stems from a lack of education. Twenty or 30 years ago, when most enterprise executives were in business school, governance of sensitive, electronic data was not taught, simply because the issue didn’t exist. Today, protecting data as a method of risk management is an entirely new field. Unfortunately, as data breaches become more and more serious, business leaders can no longer avoid the issue or fall back on an “I’ll just pay the fine” mentality, which is woefully inadequate since the cost of a data breach extends far beyond fines to respective governing industry regulators. The cost of a breach includes fines, brand damage, loss of customer loyalty, litigation, credit report monitoring for affected customers, and even job loss. Executives should take a note from the ex-CEO of Target to learn how a data breach reflects on leadership (or lack-there-of).
In the face of never-ending data breaches and an entire industry based on hacking complex networks, the question now becomes, how can executives effectively mitigate cyber risk and liability using technology?
1. Accept data is a critical part of governance, risk management, and compliance
Imagine a CEO walks into a room with his or her board of directors and says, “I’m going to cancel our errors and omissions insurance.” Any director would be terrified and livid to hear their CEO say such a thing, and likely begin to doubt his or her ability to govern. However, in a similar situation, if a CEO said, “I don’t think we’re going to encrypt our customers’ sensitive data this year,” historically no one would have blinked an eye. This is changing. The cost of a data breach has skyrocketed to a point where ignoring the risk of unprotected sensitive data is considered negligence. Executives need to understand that not encrypting sensitive data reflects on their ability to govern.
2. Know what data is considered “sensitive” and needs to be protected
Sometimes business leaders aren’t even sure which data needs to be encrypted. Overall, it is common knowledge that data such as credit card numbers and social security numbers need to be encrypted, especially under payment card and financial regulations such as PCI-DSS and GLBA/FFIEC; however, loyalty data such as email addresses, passwords, and phone numbers are considered sensitive and should be protected. Hackers are great aggregators and can derive very sensitive data from this kind of information. The recent JP Morgan Chase breach is a good example of a breach of customer data that landed a business in hot water. Executives need to examine which regulations they fall under, as well as consider what is now considered sensitive (even though it may not be listed as “sensitive” under regulation), and encrypt that data.
3. Learn to ask the right questions
Executives have learned to ask the right kinds of detailed questions to ensure their financial and business processes are limiting risk, but they still haven’t learned to ask the same kinds of detailed questions about their data security. In fact, it’s common for a CEO to simply ask their security or IT department, “are we secure”? Unfortunately, vague questions such as this get vague answers. While business leaders should work with a qualified security auditor to determine what kinds of questions they need to be asking their IT security team, here are a few examples that might be helpful:
Can I get an itemized list of all of the locations of our sensitive data, and the specific method in which we are protecting those sets of data?
Are we transferring sensitive data across networks? How are we encrypting that data?
Are we encrypting our data at rest? If so, are we using industry standard methods such as NIST AES encryption or RSA encryption?
How are we managing our encryption keys? Are they located in a secure, FIPS 140-2 compliant encryption key manager?
4. Know the limits of your technology
Assuming a certain amount of risk is common when that risk can’t be avoided. Unfortunately, it’s not very pleasant to realize you’ve assumed risk that you are unaware of. Many large retailers have been experiencing this recently with data breaches occurring in their point-of-sale systems. Understanding the limits of the technology you use is critical to preventing data breaches. Many organizations still rely on firewalls, strong passwords, and intrusion prevention software alone to protect sensitive data. These methods are certainly a component of a data security strategy, but they have limits, and are inadequate to protect sensitive data. Industry regulators know this which is why data security regulations require if not strongly recommend the use of encryption and encryption key management.
5. Encrypt data everywhere, including in the cloud
The internal network of any businesses can be incredibly complex. With many points of entry in many departments, a network can be easily breached. Encryption and key management are defense-in-depth technologies used to stop data breaches before they happen. Since data moves across multiple applications and networks, in every location where that data moves or stays it needs to be encrypted. Any sensitive data processed or stored in the cloud should always be considered in danger of greater risk, due to the inherent insecurities of a multi-tenant cloud solution. Assume that any holes in your encryption strategy will attract a breach.
Managing risk by implementing the right technologies is critical to mitigating the effects of a data breach. To learn more about encryption and risk mitigation, download the podcast, “Encryption, Key Management, and GRC: Technology to Mitigate Risk”