Why Do You Need a Security Awareness Program?

Continuous education is a key way that organizations can ensure that their employees stay up-to-date with current industry best practices, and teaching employees and contractors the importance of information security and personal privacy should be an integral part of it. For organizations who process personally identifiable information (PII) and protected health information (PHI), maintaining a security awareness program allows organizations to ensure that their employees and contractors are fully aware of the obligation to and importance of keeping such data secure. Because employees and contractors so frequently come into contact with PII and PHI, they are the frontline troops that secure protected information and thus must be trained on the sensitivity of the information they control, as well as the risks associated with the information. Ultimately, in this day and age, it’s irresponsible to not have a security awareness program in place.

What Should Your Security Awareness Program Include?

Instituting a culture of compliance is the first step towards establishing an effective security awareness program. Leadership should set the tone for compliance and inspire employees to uphold security best practices. If employees see management’s focus on creating a secure work environment, that attitude will spread.

Aside from establishing a culture of compliance, your security awareness program should act as a comprehensive overview of security best practices. For example, you might hold a monthly meeting to discuss recent breaches in the news and what your employees could learn from them. This would allow leadership to engage employees’ in conversation to ask questions about potential security threats and what they could do in the event that a breach occurs.

A security awareness program is also just as much about educating as it is implementing. So, you might review with employees’ updates to your password expiration policies, and then practice creating passwords that would meet the new requirements. You might teach employees how to identify phishing attempts made via email, and then practice such phishing attempts through mock attacks. Using mock breaches during your security awareness program also allows for organizations to review and practice policies and procedures for reporting breaches and identify any issues with your organization’s incident response plan.

For additional tips on how you can plan and implement a security awareness program, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you establish a security awareness program, contact us today!

These days, an important program for any kind of employer to maintain is a security awareness program to help employees and contractors in the workplace understand the importance of information security and personal privacy. As organizations control and process personally identifiable information such as credit card numbers or Social Security numbers, the organization often has an obligation and a need to secure that information. The frontline troops on securing information are the employees as well as contractors who might be in the workplace. These employees and contractors need to be aware of the sensitivity of the information they control and the risks associated with this information, such as the possibility that an unauthorized person will trick the employee into disclosing personally identifiable information. The employer today is wise to have an awareness program that covers all employees and contractors that are handling this kind of sensitive information.

One kind of awareness program is the program that’s called “Securing the Human,” which is offered by the SANS Institute. The SANS Institute is an educational organization in the information security world, and it publishes a whole range of videos that employees can watch and can click on to indicate that they’ve actually watched them and understood the content of the video. The video will warn employees about clicking on strange attachments from unexpected electronic mail where the attachment might have a virus or a Trojan built into it. Employees are trained through these videos that they should be suspicious when they get a strange telephone call from someone asking for their password, for example. These are just a few examples with many kinds of topics that need to be addressed in a security awareness program in the modern workplace.

The videos are not the only way to have a good awareness program; there are many creative things that a wise organization could implement. For example, you could have a brown bag seminar where you invite employees to come during lunch and hear your security awareness team explain the kinds of risks and threats that are most prevalent within your organization. Maybe another form of security awareness training could be to periodically send email updates to employees that notify them of different kinds of attacks and how to avoid them. In these updates, you could also remind employees that if they ever have a question, they need to contact your security team.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Using a Risk Assessment to Report Consumer Risk

Because there are so many different laws that regulate how and when an organization must give notice if it has had a data security breach, understanding what the correct plan of action is for your organization or determining how to report consumer risk from breaches might be daunting. Nevertheless, the laws do have one major commonality: does the consumer suffer a significant risk of harm? Consider a Social Security number; if someone’s SSN was compromised, they’re at risk for true-name and account-takeover identity theft. This would be a significant risk of harm to that consumer. Or, for instance, let’s examine a patient whose medical records were compromised. What is the probability that patient would suffer some kind of embarrassment or identify left? The level of risk of harm may change based on the type of medical records, like a compromise of an HIV status versus dental records.

If an organization believes that a data security breach has occurred, they should try to remediate the problem at hand as soon as possible and report consumer risk. Conducting a risk assessment is a useful methodology used to identify, assess, and prioritize organizational risk and thus allows organizations to implement a plan of action quickly and efficiently. Risk assessments can be used for a variety of reasons such as locating gaps in security, understanding risks, evaluating how breaches occur, and remediating gaps and/or breaches.

Risk assessments also allow organizations to determine what the level of risk is relative to the final consumer – is it a significant or low risk? It’s also important to keep in mind the subjective nature of risk. We often use the example of a worn tire to better understand. When we just consider the tire, we can conclude that it is worn-out and in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then analyze how it is used. What if the rope holding the tire swing was frayed? Would that alter your opinion of the nature of risk? What if we implement a control here and position a group of people holding a rescue trampoline under the person on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk once again?

When conducting a risk assessment, an organization needs to evaluate a wide range of factors with varying degrees of influence on the level of risk. You need all types of information about the data you’re trying to protect. Who has access to the data? What type of information was breached? How does it impact the consumer?

To learn more about how to use a risk assessment to report consumer risk, follow @BenjaminWright on Twitter. For more information about planning, conducting, and using a risk assessment, contact us today!

The many different laws that require an organization to give notice if it’s had a data security breach are complex – they don’t all say the same thing. A common topic in these laws is whether the ultimate consumer suffers some significant risk of harm. So, the consumer would be the holder of a credit card or the person whose Social Security number had been compromised. If an organization sees that it may have an incident that might be a security breach, oftentimes the organization is wise to conduct a risk assessment.

A risk assessment evaluates exactly what happened and what the risk of harm is – whether it’s a significant risk or a low risk – relative to the final consumer. Significant risk of harm is a subjective idea and, therefore, if the organization is conducting a risk assessment, it has to evaluate a wide range of factors that might be rather subjective. For example, what’s the possibility that the patient would actually suffer some kind of embarrassment or suffer some kind of identity theft if her medical record was compromised?

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Who is Benjamin Wright?

Benjamin Wright is an attorney from Dallas, TX. He is also an instructor for the SANS Institute, where he teaches a five-day course called the “Law of Data Security and Investigations.” In this video series, KirkpatrickPrice partnered with Wright to create introductory educational materials on a variety of topics related to information security and digital investigations.

While this video series provides a general overview on such topics, Wright’s course at the SANS institute goes into much greater detail and allows you to dig into cases and laws about information security and digital investigations. Security, legal, and investigative professionals can expect to learn how to manage the risks and the expectations that apply in law and ethics around information security and digital investigations. For more information about the course, pricing, and how to register, visit here.

For more insights on data security, follow Benjamin Wright on Twitter @BenjaminWright or contact us today.

My name is Ben Wright. I am an attorney in Dallas, Texas, and I’m also an instructor at the SANS Institute. At the SANS Institute, I teach a five-day course called the Law of Data Security and Investigations. KirkpatrickPrice has invited me to put together a series of videos that you have access to here. The videos will provide introductory information on a number of topics related to information security and digital investigations.

In my course at the SANS Institute, we drill a lot deeper into these topics and look at cases and laws. We train security, legal, and investigative professionals on how to mange the risks and the expectations that apply in law and ethics around information security and digital investigations.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Cyber insurance – a hot topic in the law of data security. Many insurance companies have started issuing policies for cyber incidents and cyber breaches – But, what should be covered under a cyber insurance policy? Since there is no standard policy for cyber insurance, you are likely to find vastly different policies from a number of difference insurance companies. Enterprises looking to use insurance to manage information security risk should understand that exactly what they’re buying since there’s not a lot of clear guidance on what is considered a good deal and what isn’t.

Often times organizations will purchase a policy and pay a premium thinking, “I’m covered!” Then an incident happens and the organization may say, “Well, I had a breach and I lost money,” or “My client sued me so this should be covered by our insurance policy.” Unfortunately, a breach occurring often results in the insurer comparing the details of the policy to what exactly happened in the security incident, informing the organization it isn’t covered under the policy.

There are currently several pending lawsuits in the United States regarding precisely whether a cyber insurance policy covers a particular kind of incident. Without any former precedent, it’s unclear how these lawsuits will play out. In upcoming years, we can anticipate to see many more of these instances in regards to cyber insurance policies.

Purchasing cyber insurance is very different than purchasing traditional insurance, like property insurance. Since property insurance has been around for well over a century, there is a lot of standardization around what is and isn’t included in a policy. Lots of organizations recognize the need for insurance, but when purchasing cyber insurance, know that the devil is in the details and be sure you’re buying the kind of policy you expect to get.

For more tips on cyber insurance, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you with your compliance objectives, contact us today!

Video Transcription

Cyber Insurance – What is It and What is Covered Under a Cyber Insurance Policy?

A hot topic in the law of data security is cyber insurance. Many insurance companies have recently started to issue polices that are specific to cyber incidents and cyber breaches. This field is very unsettled – such that there’s no standard form for cyber insurance. There’s no standard way to state what’s covered under a cyber insurance policy. Therefore, there’s a lot to be learned by enterprises who might be interested in purchasing cyber insurance. You could consult a number of different insurance companies and find very diverse policies that are all called “cyber insurance policies,” but if you actually read the details of these policies, you can see that they cover many things. Therefore, from the point of view of an enterprise that is seeking to use insurance to manage its risk in the information security field, the organization is left without a lot of clear guidance on exactly what’s a good deal and what’s not a good deal.

One of the reasons that this is so confusing is that an organization will buy a policy, will pay a premium, and will think “I’m covered.” Then an incident happens and the organization says, “Well I had a breach and I lost money” or “My consumers sued me because I had a breach and I had to pay the consumer, so I need to be covered by this insurance policy,” but what can happen is after the breach has occurred, the insurer reads the details of the policy and compares it to what exactly happened and the insurer decides, “That’s not covered under the policy so you’re not going to get covered or get any kind of compensation.” Obviously, that’s very disconcerting from the point of view of the enterprise that purchased the cyber insurance policy.

As evidence of how much confusion is in this field, currently there are several lawsuits pending around the United States over the question of precisely whether a cyber insurance policy covers a particular kind of incident. What we see here is an emerging field of law where we don’t know what the outcome is going to be. We don’t know what will come of these lawsuits, and I anticipate that we’ll see a number of other lawsuits around this topic in the forthcoming years.

Thus, the purchase of cyber insurance is very different than the purchasing traditional commercial insurance, like property insurance. Property insurance has been around for well over a century and there’s been a lot of standardization around property insurance so that when an enterprise buys property insurance, they have a pretty good idea of what’s going to be covered – a fire, a flood, and so on. But in the cyber insurance world, we’re still in the Wild West.

Organizations still have strong needs to buy some insurance, but understanding exactly what you’re buying can be one of those matters where the details are the devil. You need to drill down to those details and possibly get very good advice from legal counsel or some kind of other advisor so that you make sure you’re buying the kind of policy that you actually expect to get.

 

 

Why is Data Security & Privacy Important?

It is considered best practice, and often required, for organizations to develop, document, and implement an information security policy. An information security policy acts as an agreement with employees with respect to data security and privacy best practices. This set of policies is often seen in the form of a binding employee handbook, or contract, and should be updated on an annual basis, disseminated to all employees, and require acknowledgement by all employees of its contents and their responsibilities for securing information and technologies at your organization.

These policies should not only be approved by the highest level of management, but should be acknowledged and known by all. According to Benjamin Wright, some examples of data security and privacy best practices that should be included in your information security policy are as follows:

  • Acceptable use of employer owned devices/technologies – All employees should recognize and understand that they are not entitled to any privacy with respect to any communication or data exchanged through any equipment owned by the employer. This includes things like laptop computers, desktop computers, email servers, etc.
  • BYOD polices – With the number of technological devices that are used by individuals today, there are a lot of organizations that allow employees to bring their own devices, and sometimes use their personal devices to access the organization’s network. There should be clearly defined policies that outline the dos and don’ts of bringing your own device in order to thwart any associated risks.
  • Acceptable Use policies – Acceptable use policies are a set of rules applied by the employer that restrict ways in which a network or system may be used, and how it should be used. This prevents employees from abusing things such as internet access during working hours or discriminatory communications.

For additional tips on data security and privacy best practices, follow @BenjaminWright on Twitter or contact us today!

Video Transcription

Data Security & Best Practices for Your Employees

An employer is wise to have some kind of appropriate contract or agreement with employees with respect to data security and privacy kinds of issues. This policy might be in the form of a binding employee handbook, it could be in a contract that’s signed by the employee, it could be in other kinds of policies that employees are told are binding within the workplace. From the point of view of data security and privacy, a good employee handbook often will notify employees that the employee is not entitled to any privacy and should not expect privacy with respect to any communication or data that the employee exchanges through equipment that is owned by the employer. Thus, it notifies the employee that he/she is using a desktop computer that is owned by the employer, then the employer has the right to monitor the emails, other kinds of communications, and documents that are sent through or stored on that desktop computer.

A related kind of idea is “bring your own device,” where the employee might have his/her own smartphone or tablet that he/she uses for work purposes. From the point of view of the employer, the employer wants to ensure that there are appropriate procedures and rules for the employer to be able to gain access to this device and the services connected to this device, if the employee is actually using this for business. There could be a document stored on a tablet could be a spreadsheet, for example, that’s actually owned by the employer. The employer wants to make sure that they can get access to that spreadsheet if the employee ceases to cooperate or no longer works for the employer.

A related topic is acceptable use. An employee handbook will often, wisely, ensure that there is a clear set of binding guidelines that say, “When you are using company equipment, or when you’re using your own device, within the workplace or for purposes of work, you will perform only in an acceptable way.” Examples of unacceptable use would be discriminatory types of communications, pornography, pictures or communications that would make other employees within the organization feel uncomfortable. The organization wants to be clear that this is not allowed in the workplace, because it could be evidence of a hostile work environment.