Why Do You Need a Security Awareness Program?

Continuous education is a key way that organizations can ensure that their employees stay up-to-date with current industry best practices, and teaching employees and contractors the importance of information security and personal privacy should be an integral part of it. For organizations who process personally identifiable information (PII) and protected health information (PHI), maintaining a security awareness program allows organizations to ensure that their employees and contractors are fully aware of the obligation to and importance of keeping such data secure. Because employees and contractors so frequently come into contact with PII and PHI, they are the frontline troops that secure protected information and thus must be trained on the sensitivity of the information they control, as well as the risks associated with the information. Ultimately, in this day and age, it’s irresponsible to not have a security awareness program in place.

What Should Your Security Awareness Program Include?

Instituting a culture of compliance is the first step towards establishing an effective security awareness program. Leadership should set the tone for compliance and inspire employees to uphold security best practices. If employees see management’s focus on creating a secure work environment, that attitude will spread.

Aside from establishing a culture of compliance, your security awareness program should act as a comprehensive overview of security best practices. For example, you might hold a monthly meeting to discuss recent breaches in the news and what your employees could learn from them. This would allow leadership to engage employees’ in conversation to ask questions about potential security threats and what they could do in the event that a breach occurs.

A security awareness program is also just as much about educating as it is implementing. So, you might review with employees’ updates to your password expiration policies, and then practice creating passwords that would meet the new requirements. You might teach employees how to identify phishing attempts made via email, and then practice such phishing attempts through mock attacks. Using mock breaches during your security awareness program also allows for organizations to review and practice policies and procedures for reporting breaches and identify any issues with your organization’s incident response plan.

For additional tips on how you can plan and implement a security awareness program, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you establish a security awareness program, contact us today!

These days, an important program for any kind of employer to maintain is a security awareness program to help employees and contractors in the workplace understand the importance of information security and personal privacy. As organizations control and process personally identifiable information such as credit card numbers or Social Security numbers, the organization often has an obligation and a need to secure that information. The frontline troops on securing information are the employees as well as contractors who might be in the workplace. These employees and contractors need to be aware of the sensitivity of the information they control and the risks associated with this information, such as the possibility that an unauthorized person will trick the employee into disclosing personally identifiable information. The employer today is wise to have an awareness program that covers all employees and contractors that are handling this kind of sensitive information.

One kind of awareness program is the program that’s called “Securing the Human,” which is offered by the SANS Institute. The SANS Institute is an educational organization in the information security world, and it publishes a whole range of videos that employees can watch and can click on to indicate that they’ve actually watched them and understood the content of the video. The video will warn employees about clicking on strange attachments from unexpected electronic mail where the attachment might have a virus or a Trojan built into it. Employees are trained through these videos that they should be suspicious when they get a strange telephone call from someone asking for their password, for example. These are just a few examples with many kinds of topics that need to be addressed in a security awareness program in the modern workplace.

The videos are not the only way to have a good awareness program; there are many creative things that a wise organization could implement. For example, you could have a brown bag seminar where you invite employees to come during lunch and hear your security awareness team explain the kinds of risks and threats that are most prevalent within your organization. Maybe another form of security awareness training could be to periodically send email updates to employees that notify them of different kinds of attacks and how to avoid them. In these updates, you could also remind employees that if they ever have a question, they need to contact your security team.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Using a Risk Assessment to Report Consumer Risk

Because there are so many different laws that regulate how and when an organization must give notice if it has had a data security breach, understanding what the correct plan of action is for your organization or determining how to report consumer risk from breaches might be daunting. Nevertheless, the laws do have one major commonality: does the consumer suffer a significant risk of harm? Consider a Social Security number; if someone’s SSN was compromised, they’re at risk for true-name and account-takeover identity theft. This would be a significant risk of harm to that consumer. Or, for instance, let’s examine a patient whose medical records were compromised. What is the probability that patient would suffer some kind of embarrassment or identify left? The level of risk of harm may change based on the type of medical records, like a compromise of an HIV status versus dental records.

If an organization believes that a data security breach has occurred, they should try to remediate the problem at hand as soon as possible and report consumer risk. Conducting a risk assessment is a useful methodology used to identify, assess, and prioritize organizational risk and thus allows organizations to implement a plan of action quickly and efficiently. Risk assessments can be used for a variety of reasons such as locating gaps in security, understanding risks, evaluating how breaches occur, and remediating gaps and/or breaches.

Risk assessments also allow organizations to determine what the level of risk is relative to the final consumer – is it a significant or low risk? It’s also important to keep in mind the subjective nature of risk. We often use the example of a worn tire to better understand. When we just consider the tire, we can conclude that it is worn-out and in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then analyze how it is used. What if the rope holding the tire swing was frayed? Would that alter your opinion of the nature of risk? What if we implement a control here and position a group of people holding a rescue trampoline under the person on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk once again?

When conducting a risk assessment, an organization needs to evaluate a wide range of factors with varying degrees of influence on the level of risk. You need all types of information about the data you’re trying to protect. Who has access to the data? What type of information was breached? How does it impact the consumer?

To learn more about how to use a risk assessment to report consumer risk, follow @BenjaminWright on Twitter. For more information about planning, conducting, and using a risk assessment, contact us today!

The many different laws that require an organization to give notice if it’s had a data security breach are complex – they don’t all say the same thing. A common topic in these laws is whether the ultimate consumer suffers some significant risk of harm. So, the consumer would be the holder of a credit card or the person whose Social Security number had been compromised. If an organization sees that it may have an incident that might be a security breach, oftentimes the organization is wise to conduct a risk assessment.

A risk assessment evaluates exactly what happened and what the risk of harm is – whether it’s a significant risk or a low risk – relative to the final consumer. Significant risk of harm is a subjective idea and, therefore, if the organization is conducting a risk assessment, it has to evaluate a wide range of factors that might be rather subjective. For example, what’s the possibility that the patient would actually suffer some kind of embarrassment or suffer some kind of identity theft if her medical record was compromised?

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Who is Benjamin Wright?

Benjamin Wright is an attorney from Dallas, TX. He is also an instructor for the SANS Institute, where he teaches a five-day course called the “Law of Data Security and Investigations.” In this video series, KirkpatrickPrice partnered with Wright to create introductory educational materials on a variety of topics related to information security and digital investigations.

While this video series provides a general overview on such topics, Wright’s course at the SANS institute goes into much greater detail and allows you to dig into cases and laws about information security and digital investigations. Security, legal, and investigative professionals can expect to learn how to manage the risks and the expectations that apply in law and ethics around information security and digital investigations. For more information about the course, pricing, and how to register, visit here.

For more insights on data security, follow Benjamin Wright on Twitter @BenjaminWright or contact us today.

My name is Ben Wright. I am an attorney in Dallas, Texas, and I’m also an instructor at the SANS Institute. At the SANS Institute, I teach a five-day course called the Law of Data Security and Investigations. KirkpatrickPrice has invited me to put together a series of videos that you have access to here. The videos will provide introductory information on a number of topics related to information security and digital investigations.

In my course at the SANS Institute, we drill a lot deeper into these topics and look at cases and laws. We train security, legal, and investigative professionals on how to mange the risks and the expectations that apply in law and ethics around information security and digital investigations.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.

GDPR Fines and Penalties

Organizations that have grown used to being slapped with minor fines for data breaches or misusing consumers’ data will no longer be able to put the security and privacy of their consumers’ data on the back burner. To gain GDPR compliance, organizations who market, collect, use, or store consumers’ personal data must make the security and privacy of consumers’ data a top priority, or be faced with the severe consequences of GDPR non-compliance. GDPR is equivalent to a US Federal Law, and GDPR non-compliance can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greater.

Fines and Penalties

  • €20 million or 4% of annual global turnover – whichever is greater.

For example, Hilton – one of the largest hotel and resort chains in the world – was fined a mere $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected. For data controllers like Hilton, as well as data processors, understanding the consequences of GDPR non-compliance is crucial. A $700,000 fine for Hilton presumably didn’t impact the organization much, but a $420 million fine would have had much more severe implications.

Want to learn what fines and penalties will be enforced for GDPR non-compliance? Need to know what to do if your organization violates multiple GDPR provisions? Ready to learn what your organization can do to reduce the maximum fines?

Cyber insurance – a hot topic in the law of data security. Many insurance companies have started issuing policies for cyber incidents and cyber breaches – But, what should be covered under a cyber insurance policy? Since there is no standard policy for cyber insurance, you are likely to find vastly different policies from a number of difference insurance companies. Enterprises looking to use insurance to manage information security risk should understand that exactly what they’re buying since there’s not a lot of clear guidance on what is considered a good deal and what isn’t.

Often times organizations will purchase a policy and pay a premium thinking, “I’m covered!” Then an incident happens and the organization may say, “Well, I had a breach and I lost money,” or “My client sued me so this should be covered by our insurance policy.” Unfortunately, a breach occurring often results in the insurer comparing the details of the policy to what exactly happened in the security incident, informing the organization it isn’t covered under the policy.

There are currently several pending lawsuits in the United States regarding precisely whether a cyber insurance policy covers a particular kind of incident. Without any former precedent, it’s unclear how these lawsuits will play out. In upcoming years, we can anticipate to see many more of these instances in regards to cyber insurance policies.

Purchasing cyber insurance is very different than purchasing traditional insurance, like property insurance. Since property insurance has been around for well over a century, there is a lot of standardization around what is and isn’t included in a policy. Lots of organizations recognize the need for insurance, but when purchasing cyber insurance, know that the devil is in the details and be sure you’re buying the kind of policy you expect to get.

For more tips on cyber insurance, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you with your compliance objectives, contact us today!

Video Transcription

Cyber Insurance – What is It and What is Covered Under a Cyber Insurance Policy?

A hot topic in the law of data security is cyber insurance. Many insurance companies have recently started to issue polices that are specific to cyber incidents and cyber breaches. This field is very unsettled – such that there’s no standard form for cyber insurance. There’s no standard way to state what’s covered under a cyber insurance policy. Therefore, there’s a lot to be learned by enterprises who might be interested in purchasing cyber insurance. You could consult a number of different insurance companies and find very diverse policies that are all called “cyber insurance policies,” but if you actually read the details of these policies, you can see that they cover many things. Therefore, from the point of view of an enterprise that is seeking to use insurance to manage its risk in the information security field, the organization is left without a lot of clear guidance on exactly what’s a good deal and what’s not a good deal.

One of the reasons that this is so confusing is that an organization will buy a policy, will pay a premium, and will think “I’m covered.” Then an incident happens and the organization says, “Well I had a breach and I lost money” or “My consumers sued me because I had a breach and I had to pay the consumer, so I need to be covered by this insurance policy,” but what can happen is after the breach has occurred, the insurer reads the details of the policy and compares it to what exactly happened and the insurer decides, “That’s not covered under the policy so you’re not going to get covered or get any kind of compensation.” Obviously, that’s very disconcerting from the point of view of the enterprise that purchased the cyber insurance policy.

As evidence of how much confusion is in this field, currently there are several lawsuits pending around the United States over the question of precisely whether a cyber insurance policy covers a particular kind of incident. What we see here is an emerging field of law where we don’t know what the outcome is going to be. We don’t know what will come of these lawsuits, and I anticipate that we’ll see a number of other lawsuits around this topic in the forthcoming years.

Thus, the purchase of cyber insurance is very different than the purchasing traditional commercial insurance, like property insurance. Property insurance has been around for well over a century and there’s been a lot of standardization around property insurance so that when an enterprise buys property insurance, they have a pretty good idea of what’s going to be covered – a fire, a flood, and so on. But in the cyber insurance world, we’re still in the Wild West.

Organizations still have strong needs to buy some insurance, but understanding exactly what you’re buying can be one of those matters where the details are the devil. You need to drill down to those details and possibly get very good advice from legal counsel or some kind of other advisor so that you make sure you’re buying the kind of policy that you actually expect to get.