In 2022, data protection is (or should be) a top priority for any business that collects sensitive data, whether that’s personally identifiable information (PII), financial data, intellectual property, or business information. Regulatory compliance is often the primary motivation for implementing a data protection strategy. The penalties for non-compliance with HIPAA, the GDPR, PCI DSS,  the CCPA, and other data privacy regulations can damage or even destroy a small or medium business.

That is, of course, the purpose of data privacy regulations. They make the cost of non-compliance so high businesses are motivated to implement data protection best practices. However, there is another reason companies should invest in data protection: it’s great for business. 

Consumers and business decision-makers are more aware of data breach risks than ever before, and they factor a vendor’s data protection credentials into buying decisions.  Data protection is a competitive advantage, and it should be a prominent aspect of your marketing and sales strategy. 

What Is Data Protection?

Data protection is the activities and technologies an organization implements to protect data from theft, unauthorized access, and improper use. Data protection is a broad term that covers a wide range of activities, but its fundamental purpose is to establish a relationship of trust between a business and its customers. Your customers need to know that they can trust you to protect their data. 

Data privacy is one of the most prominent activities covered by the umbrella term “data protection,” but there are others, including using data only for the purposes a customer has consented to and giving customers the ability to access or delete their PII. 

Implementing data protection best practices allows businesses to comply with data protection and data privacy regulations and standards. But, just as important, it reassures customers that your company is capable of keeping their data safe while using it responsibly. 

Why Is Data Protection Important?

Data protection was not a key concern in the early days of the consumer internet, and many businesses failed to follow even rudimentary data protection best practices. But, as the web and cloud services became vital to the economy, increasing quantities of sensitive data were stored and processed by businesses. Perhaps predictably, data breaches and identity theft became common. The media’s focus on massive breaches that leaked millions of sensitive records brought the consequences of poor data protection to public attention. 

In 2022, consumers and businesses have a more sophisticated understanding of data breach risks. Most are happy to use online services, even for sensitive data. But, in return for their trust, they expect businesses to prioritize data protection and implement processes, practices, and technologies that keep data safe. Companies that can’t or won’t implement and demonstrate rigorous data protection practices are at a disadvantage relative to competitors who put data protection front and center. 

How To Use Data Protection To Gain a Competitive Advantage

To leverage the competitive advantage of data protection, it’s not enough to implement secure systems and update your website with copy that boasts: “we’re secure.” Your competitors say the same, and customers cannot verify which claims are accurate. Let’s explore a four-step process businesses can follow to implement, demonstrate, and promote their data security credentials. 

Implement Data Protection Best Practices

Most importantly, your business has to implement data protection best practices that comply with relevant regulatory standards. The details depend on the industry your company operates in, the data it stores, the data protection expectations of its customers, and many other factors. 

If your business lacks the knowledge or expertise to implement data protection best practices, we recommend consulting with a third-party data protection specialist, who will identify risks and help your business to create and implement a compliance plan. 

Create Transparent Data Protection Policies

Create and publish data protection policies that non-technical employees or customers can understand. It may be tempting to use technical or legal language, but the average customer may not understand it. Instead, explain clearly and concisely:

  • Which data you intend to collect.
  • Why you are collecting it.
  • How you will use it.
  • How you will protect it.

If there are legal reasons that compel your business to use technical language in its public-facing policies, you may want to consider publishing a parallel explanation or summary in plain English. 

You may also want to explain the customers’ obligations to protect their data. For example, cloud platforms such as Amazon have well-explained data protection policies, but they make it clear that data protection is a shared responsibility

Demonstrate Your Data Protection Capabilities with Information Security Audits

How do your customers know you keep your data protection promises? It’s easy to say data protection is a priority, but it’s hard for customers to verify businesses are fulfilling their obligations. If you’d asked the companies behind the biggest data breaches of recent years whether they take data protection seriously, they would have said, “Of course, we do!”

The standard solution to this problem is a third-party audit. Businesses ask a neutral third party with information security and data protection expertise, like KirkpatrickPrice, to examine and report on data protection controls. Audits are carried out with reference to an accepted framework, and auditing methods are standardized. Consequently, the business and its customers can be confident that a third-party audit reflects the reality of the auditee’s data protection implementation. 

Audits can be carried out with reference to many different security standards and regulatory frameworks, including:

Compliance audits verify the business complies with a specific framework or standard, highlight control gaps and opportunities to improve data protection, and provide a report that demonstrates security and compliance capabilities to potential customers and partners. 

Make Data Protection a Foundation of Your Brand

The next step is to make sure prospective customers know your information security, data protection, and data privacy stances. In some industries, business customers will ask vendors whether they comply with standards such as SOC 2 as a matter of course—it’s part of their compliance procedure. However, as data protection becomes increasingly important to all customers, it should be mentioned alongside your business’s other value propositions in marketing and sales materials. 

Opportunities to highlight data protection and compliance audit certificates include:

  • In sales copy on your website, including case studies, blog articles, and one-pagers.
  • In sales enablement content and sales professional training. Your sales team should emphasize data protection and privacy as key benefits. 
  • On social media, in email marketing, and in content marketing efforts. 

In short, businesses should take every opportunity to highlight the link between their services and superior data protection and information security.

Partner With KirkpatrickPrice to Implement Data Protection Practices That Are Best for Your Business

KirkpatrickPrice is a licensed CPA firm specializing in information security compliance audits and related services, including penetration testing, security awareness training, and risk assessments. To learn more about data protection and compliance audits, contact our security and compliance specialists

As we enter a new year, it’s traditional to look back at the successes and failures of the last twelve months. The information security world is no different, and as the year draws to a close, information security writers publish a flurry of articles with titles like The Top Data Breaches of 2021 and The Top 5 Scariest Data Breaches in 2021. They are sobering reading: each listicle entry represents hundreds of millions of people hurt by data breaches that expose their private details to criminals and the wider world.

However, these articles don’t mention the thousands of smaller businesses targeted by cyber-criminals. The headline-grabbing data breaches are the tip of the iceberg. While most of the corporations featured will weather the storm, smaller businesses are less able to bounce back from a catastrophic exposure of sensitive data. Over half of small companies go out of business within six months of a data breach or cyber attack.

Data breaches are avoidable, but any business can significantly reduce the risk that a data breach will hurt its employees and customers, not to mention its reputation, bank balance, and regulatory compliance.

What Causes Data Breaches?

Data breaches occur when bad actors exploit weak security and privacy controls. In a secure system, sensitive data is only accessible to authorized and authenticated users. To build a secure system, businesses should implement controls that allow access to authorized users and deny it to everyone else.

Data breaches are more likely when essential controls are missing or improperly implemented. A weak password is an example of a poorly implemented access control. If a user with administrative privileges on a sensitive system chooses a password such as “123456,” an attacker can easily guess it and gain access.

Weak credentials are among the most common causes of data leaks, but there are many more, including:

  • Stolen credentials: shared or stolen passwords and authentication keys are a leading cause of data breaches.
  • Phishing attacks: attackers use email to trick employees into disclosing credentials or installing malware.
  • Software vulnerabilities: vulnerabilities in network-connected software allow attackers to access sensitive systems.
  • Insider threats: employees or ex-employees work with criminals or steal data for their own purposes.
  • Physical attacks: people who have direct physical access to servers and networks can bypass security controls.
  • Configuration mistakes: incorrectly configuring software or hardware may give an attacker access to sensitive data. This is a common cause of data breaches from cloud platforms, as we discussed in 10 Top Tips For Better AWS Security Today.

What Happens During a Data Breach?

There are many potential techniques an attacker might use to compromise a business’s network and exfiltrate sensitive data. But, at a high level, most data breaches follow a predictable course.

  • Target identification and surveillance: The attacker probes your network and organization for weaknesses. This stage may be automated: many attackers use bots to probe thousands of networks for specific security weaknesses. However, an attacker may manually probe and investigate a high-value target.
  • Social engineering: In addition to probing networks and software, the attacker may contact employees and managers, usually misrepresenting their purpose with a spurious pretext. Their aim may be to learn more about the organization and its systems, steal authentication credentials, or influence an insider to install malware.
  • Compromise: The attacker uses the information they have gathered to gain entry to the network. For example, they may have discovered a misconfigured database, which they now access over the internet. Once the attacker has compromised one network component, they may use that access to “island hop” to more sensitive systems.
  • Exfiltration: The data is copied from the business’s network to servers under the attacker’s control.

Once the attacker has the data, they can release it to the public, sell it to third-party data brokers, use it for identity theft, or extort the businesses.

How to Prevent Data Breaches

We’ve looked at some of the most widely used techniques to compromise business networks and steal data. To prevent data breaches, businesses should focus on implementing processes and controls that render those techniques ineffective.

Regularly Update Software to Apply Security Patches

Older software often contains bugs that create security vulnerabilities. The recent Apache log4J vulnerability is a perfect example. Log4j is a logging tool for the Java programming language ecosystem. It is included in over 35,000 Java packages used by thousands of businesses.

Log4J contained a security vulnerability an attacker could exploit to execute code remotely. Remote code execution vulnerabilities are severe, and the log4J vulnerability could allow an attacker to break into systems, steal data, and upload malware.

Once the vulnerability was discovered, developers quickly fixed it. But, to get the non-vulnerable version, users have to update any software that uses log4J. Although the log4J vulnerability is particularly serious, software vulnerabilities are common, and the best way to fix them is to update all business software regularly.

Encrypt Data and Store Encryption Keys Securely

Businesses should not entirely rely on their ability to keep bad actors out of their networks. It’s always possible that an attacker will find a vulnerability or an employee will make a configuration mistake. It’s best to assume that an attacker will find their way in and implement additional layers of security to deal with that contingency.

If a business ensures that all data is encrypted, an attacker who penetrates network security cannot access the original data. However, a sophisticated attacker may discover encryption keys if they are not also stored securely. The details of secure key storage differ depending on the business’s platforms, but we discussed how to store access securely and encryption keys on Amazon Web Service in How to Keep AWS Access Keys and Other Secrets Safe.

Implement Least-Privilege Access Policies

Employees, contractors, and service providers should have the least access consistent with their role within an organization. They should be able to access only the data they need and have only essential privileges. For example, an employee who needs to download data to generate a report does not need write permissions to edit that data.

Implementing least-privilege access policies limits the risk of leaked or stolen access credentials. It also helps to reduce insider threats by limiting the data assets a malicious insider can access.

Follow Cloud and Physical Infrastructure Configuration Best Practices

Many data breaches are the result of improperly configured software and hardware. To mention just four examples:

  • AWS S3 buckets that are accidentally configured to be publicly accessible.
  • MySQL databases deployed without password authentication.
  • Improperly assigned access permissions that allow users to access information they should not be authorized to see.
  • Inadequate firewall rules or a failure to use a firewall.

Configuration errors have two leading causes. First, the business doesn’t invest the time and resources necessary to secure its infrastructure adequately. Second, the business lacks the knowledge and expertise to configure its infrastructure securely. Both scenarios introduce significant compliance and financial risks.

If a business does not have the knowledge or resources to secure its infrastructure or understand the risks, it should consider employing a third-party information security specialist to assess its security and suggest opportunities for improvement.

Carry Out Regular Security Risk Assessments

A security risk assessment can help your business identify and remediate potential vulnerabilities. A comprehensive risk assessment begins with a survey of your infrastructure before identifying risks, assessing their importance, and creating a risk management plan, which can be implemented to remove identified risks.

A third-party risk assessment by qualified information security auditors may help businesses significantly reduce the risk of a damaging data breach.

Conduct Security Awareness Training

Employees have privileged access to sensitive data, but they may not understand their part in keeping that data safe. Phishing attacks and other forms of social engineering deliberately target non-technical employees who may not understand the security implications of clicking a link in an email or sharing their password with someone who claims to be a manager or executive.

Security awareness training helps employees understand the threats their business faces and what they can do to limit exposure. It can be tailored to the company’s specific needs and relevant security frameworks, including HIPAA and PCI.

Prevent Data Breaches with KirkpatrickPrice

As a licensed CPA firm, KirkpatrickPrice specializes in information security audits and security assessments that can help protect your organization from being vulnerable to data breaches. Contact an information security specialist to learn more about our risk assessment services, security awareness training, and compliance audit services.

There were many missteps that led to the Capital One breach, but what’s the one thing that went as planned? From our perspective, Capital One’s incident response plan seemed to function as intended. Incident response is incredibly important following a breach – that’s why having a plan and team in place is required by so many information security frameworks. The data proves the importance of incident response plans as well. IBM’s 2019 Cost of a Data Breach reports that organizations with an incident response team and extensive testing of their plans could save, on average, about $1.2 million on the typical data breach. In Capital One’s case, though, this incident will cost $100 to $150 million in 2019 alone. Is developing and testing an incident response plan worth millions to your organization?

Capital One’s Incident Response Plan

The Justice Department’s Compliant includes the report that was submitted to Capital One’s Responsible Disclosure program on July 17, 2019. By the end of that month, Capital One announced the breach to the public and explained what they knew, the mitigation work they’d already performed, and which customers were impacted.

From Capital One’s announcement, we can determine they took the following steps to validate and mitigate the reported findings:

  • Immediately fixing the configuration vulnerability
  • Working with the FBI to arrest the person responsible
  • Determining exactly what type of information was compromised and how many individuals in the US and Canada were impacted
  • Performing an analysis to determine if the information was shared or used for fraud
  • Notifying customers
  • Answering FAQs like: What was the vulnerability that led to this incident? When did this occur? Was the data encrypted and/or tokenized? Did this vulnerability arise because you operate on the cloud?
  • Making information about the incident available on their online and easily accessible

When a household name like Capital One has a major breach, it makes headlines for years. There are major legal and regulatory ramifications for Capital One to answer to, but as far as basic incident response goes, we admit that Capital One seems to have had a thoughtful, tested incident response plan. This was vital in reassuring the public that, even though their AWS configurations had a vulnerability, Capital One knew how to handle the situation.

The key to an incident response plan is testing it in tabletop exercises, employee training, and other scenarios to determine if it will actually work. When organizations go through information security audits, their auditor will have high standards for the plan and the testing of the plan. What would’ve happened if Capital One wasn’t prepared to react to this incident? Would data have been used for fraud or compromised even further?

6 Steps to Incident Response

With today’s threat landscape, it’s not a matter of if your organization will fall victim to a cyberattack or data breach, but when it will happen. We believe basic incident response plans should have six steps:

  1. Preparation – What are we doing to prevent an incident? How are we limiting the impact of an incident? Have we tested our policies and procedures?
  2. Detection & Identification – How would we identify and detect malicious activity? How do we report an incident?
  3. Containment – Has the appropriate personnel been notified? What evidence should be collected? Have we fully assessed the scope of the damage? How can we prevent further damage?
  4. Remediation – Has a complete forensic analysis been performed? Can we make changes to prevent a repeat incident?
  5. Recovery – Have we securely restored the system? Do we have continuous monitoring to ensure the problem is resolved?
  6. Lessons Learned –What gaps can we now identify? Have we regained customer confidence? Have we reviewed controls and processes to prevent future attacks?

It’s not only up to IT to develop an incident response plan – many other areas of your organization will be involved, especially C-levels and boards of directors. In Capital One’s case, the CEO responded the public about the breach.

If your organization was breached, would your team know what to do? What would the headlines say about your incident response plan? Are you confident in your plan?

If you want to ensure that everyone at your organization knows their role in incident response, let’s talk today about how to train and test your incident response plan.

More Incident Response Resources

SOC 2 Academy: Incident Response Best Practices

Horror Stories: Timehop’s MFA Mishap

Breach Notification: Who, When, Why

It’s become quite common to see reports in the headlines about data security breaches as different types of organizations are targeted every day. The types of information or data that is stolen as a result of a breach are things like social security numbers, credit card numbers, Protected Health Information (PHI), and Personally Identifiable Information (PII), trade secrets, or intellectual property. The most important thing to consider when it comes to protecting against data breaches is it’s not a matter of if, but when, so be sure to prepare for a breach with both prevention and recovery in mind. It’s also important to be aware of what state and/or federal data breach notice laws may apply to you in the event of a security incident at your organization.

There seems to be a lack of distinction between a security incident and a data breach; not every security incident constitutes a security breach. A breach has occurred when sensitive, protected, or confidential information has been accessed or stolen by someone without the proper authorization to do so. Maybe it’s a lost laptop, a malicious hacker, or accidentally sending sensitive information to the wrong person, it’s important to carefully evaluate every security incident to ensure you are following all applicable data breach laws in the event of an actual breach.

KirkpatrickPrice uses the Six Steps of Incident Response to help organizations determine the severity of a security incident and how to efficiently and effectively remediate. When developing your own incident response plan, take a look at these six common stages of incident response:

1. Preparation

Always document policies and procedures for appropriate disaster recovery to ensure that recovery and remediation will happen quickly. Are you prepared to handle an incident that could happen today?

2. Detection and Identification

What kind of incident has occurred? What is the severity? Has there been loss or exposure of sensitive data? Were any laws or contracts violated? How much information was impacted by the incident?

3. Containment

Notify the right people at the right time to help reduce the damage of a security incident and isolate the infected or compromised area.

4. Remediation

Resolve any issues, malicious code, responsible personnel, threat, etc. What security gaps need to be addressed at this time?

5. Recovery

Implement all appropriate policies and procedures to get back up and running and continue to monitor that the incident has been fully resolved.

6. Lessons Learned

Make sure you know why the incident occurred so you can ensure that the same incident will not happen again.

For more insights on data security, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you meet your compliance objectives, contact us today!

 

 

A topic in the news is Data Security Breach. We see a lot of reports about organizations notifying the public that they’ve suffered some kind of a breach of information security. So an example of Data Security Breach could be that social security information has been compromised, or maybe credit card information is no longer protected. There are many laws covering Data Security Breaches. Those laws can be state laws, federal laws, or they might be the laws of other countries. These laws  are not uniform and therefore it can be quite confusing for an organization to figure out exactly which law applies when the organization thinks it may have a security breach.

Not every security incident constitutes a Data Security Breach. You may have a lost laptop computer, maybe an employee loses a smart phone, maybe an employee accidentally sends sensitive information to the wrong people. Not every one of these kinds of incidents turns out to be a Data Security Breach under the relevant laws for which you need to give notice. Therefore, when an organization sees that it has an incident, it needs to conduct an appropriate investigation and follow the rules of law in order to determine, “have I achieved the point of having a breach? If I have, then I need to give the appropriate notices under the laws that apply.”

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

 

 

Attorney Benjamin Wright helps others navigate the law of technology.

He teaches the Law of Data Security and Investigations for SANS Institute, the premier authority for training information security professionals and digital forensics experts. That 5-day bootcamp is unique in the world.

Wright is author of The Law of Electronic Commerce (Wolters Kluwer) and Business Law and Computer Security (published by SANS).

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Joseph R. Swedish, CEO of Anthem Inc., one of the largest healthcare providers in the US, announced Wednesday, that despite efforts to appropriately safeguard their information, they suffered a major cyberattack. This attack is said to have affected as many as 80 million people.

According to Anthem, this attack compromised both patient and employee information, names, birthdays, medical ID’s, Social Security numbers, street addresses, email addresses, and employment and income information. Swedish said in a letter published on a website about their response to the incident, “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating in the investigation.” (www.AnthemFacts.com) They have since taken measures to improve their security environment by fully evaluating their systems.

HIPAA laws mandate that you properly safeguard the Personally Identifiable Information (PII) that you collect, and data breaches such as this can often result in heavy fines. There are specific guidelines in regards to protecting this information as well as reporting a breach once it has been discovered. In too many cases, businesses scramble to pick up the pieces as a result from a breach rather than already having in place a strong defense to protect the PII for which they are responsible. This is a scary time for the cyberworld, and with the discovery of this massive data breach we should be encouraged to continue to improve and strengthen our security measures as the landscape continually evolves.

If you need help assessing your current security environment or need help developing your Incident Response Plan, call us today at 800-770-2701 for a free consultation.