Posts

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.

The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?

Root Causes of Data Breaches and Security Incidents

Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.

  • Organized criminal groups aren’t stopping; they’re only getting more sophisticated. They’re using tried and true techniques that continue to work on victims. There’s obviously financial motivation, but a malicious attacker could also be motivated by a political agenda, social cause, convenience, or just for fun.  
  • Employees will continue to be your weakest link. Verizon’s 2018 Data Breach Investigations Report states that one in five beaches occurs because of human error.
  • As if human error wasn’t bad enough, malicious insiders are even worse. 28% of cyberattacks in 2018 involved insiders.
  • Technology is a blessing and curse. Systems glitch and cause major data breaches and security incidents.
  • It’s almost impossible to run a business without involving third parties. Inevitably, third parties cause data breaches and security incidents, and your organization must deal with the consequences.  
  • Timing is everything when it comes to data breaches and security incidents, and hackers are usually quicker than your team. Ponemon’s 2018 Cost of a Data Breach Study reports that the average time to identify a data breach was 197 days in 2018. To actually contain the breach? 69 days.

These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?

Cost of a Data Breach

There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.

Organizations are usually surprised that the following elements drive up the cost of a data breach:

  • Loss of customers
  • Size of the breach
  • Time it takes to identify and contain a data breach
  • Effective incident response team
  • Legal fees and fines
  • Public relation fees
  • Information security and cybersecurity program updates

Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.

As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?

Your Plan for 2019

Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:

  • When was the last time you performed a formal risk assessment? Risk assessments can provide you with what we call the three C’s: confidence, clear direction, and cost savings.
  • If your weakest link is employees, how will you hold them accountable to their security awareness training?
  • Ponemon reports that when an organization has an incident response team, they save $14 per compromised record. Has your incident response plan been tested recently?
  • What security automation tools would be a valuable investment for your organization? According to Ponemon, security automation is a way to decrease the cost of a data breach because you’re able to identify and contain the attack faster.
  • Ask your auditing firm to educate you on what new cybersecurity testing exists and which relevant requirements will be changing in 2019.

No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.

More Data Breach and Incident Response Resources

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

[24]7.ai Cyber Incident: How Your Vendors Can Impact Your Security

Rebuilding Trust After a Data Breach

Horror Stories: Million Dollar Malware Losses

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Data Privacy and Security in the US

According to Pew Research Center, 64% of American adults have experienced data theft. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. With every new headline of a data breach, it seems like consumers are losing more control over what personal information is publicly available.

At the same time, it’s nearly impossible to go through an ordinary day without sharing personal information. There are businesses out there that know where you live, how fast you drive, how many hours of sleep you got last night, if you’re on-budget for the month, what type of music you listen to, how many times you’ve tweeted this month, if you’re meeting your fitness goals, and how many children you have – just to name a few categories. With the complexity and sophistication of the current threat landscape, regulators, lawmakers, and consumers must be more alert than ever. In 2018, numerous states have added or updated data privacy and breach notification laws, including:

  • The Alabama Breach Notification Act of 2018 went into effect on June 1, 2018 to heighten consumer protections.
  • Arizona amended its breach notification law, HB 2145, to expand the definition of personal information and refine notification timelines.
  • Colorado enhanced consumer protections through amendments to HB 1128, which went into effect on September 1, 2018.
  • Ohio passed The Data Protection Act, a scalable bill that focuses on businesses’ cybersecurity programs.
  • Iowa passed HF 2354 to regulate the protection of student information when used on an online service or application.
  • Louisiana amended Act No. 382 to create a more comprehensive data privacy and breach notification law.
  • Nebraska passed LB 757, a bill requiring “reasonable security procedures and practices” to provide consumer protection.
  • Oregon amended SB 1551 to extend the scope of its breach notification rules and went into effect on June 2, 2018.
  • The South Carolina Insurance Data Security Act, which goes into effect on January 1, 2019, emphasizes the need for cybersecurity programs and incident response plans in the insurance industry.
  • South Dakota enacted its first breach notification law in SB No. 62, effective on July 1, 2018.
  • Vermont passed 764, which will regulate data brokers’ information security program and data privacy practices.
  • Virginia extended its breach notification law, HB 183, to include information tax information.

The California Consumer Privacy Act of 2018 has stood out among state laws, though. Let’s discuss what this law is and why it is being perceived as the US equivalent of GDPR.

Introducing the California Consumer Privacy Act of 2018

In June, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). Despite opposition from industry leaders like Google, Verizon, Comcast, and AT&T, approximately 629,000 Californians petitioned to get the law on the ballot, and now, Californians have been granted the most comprehensive consumer privacy rights in the country. This is evidence that consumers want ownership, control, and security over their personal data.

The purpose of CCPA is to give consumers more rights related to their personal data, while also holding businesses accountable for respecting consumers’ privacy. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information.

For-profit businesses that do business in California and that fall under any of the following categories must comply with the CCPA:

(A) Have annual gross revenues of over $25,000,000,

(B) Buy, sell, or share the personal information of 50,000+ consumers per year

(C) Derive 50% or more of their annual revenues from selling consumers’ personal information

Has the GDPR Made Its Way to the US?

The European Union’s legislation, the General Data Protection Regulation (GDPR), has been a top regulatory focus of 2018, even among US companies. The first globally relevant data privacy regulation of its kind, GDPR is considered to be one of the most significant information security and privacy laws of our time. GDPR applies to any entity collecting, using, or processing personal data of any data subject in the EU, which means that the applicability of the law follows the data, wherever in the world that data resides.

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

We do see some similarities between GDPR and CCPA, especially in their purpose and definitions. Both GDPR and CCPA are heavily focused on consumers’ desire for privacy and control over their personal information. After reviewing both laws, you’ll find regulators designed both to give consumers more rights and hold businesses accountable for respecting consumers’ privacy. You’ll also notice that the two laws’ definitions for the terms “processing” and “personal information” closely align.

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA. Data mapping, documentation review, contract management – these activities will assist organizations in their compliance journeys. Additionally, CCPA may become a model for other state privacy laws or even a federal privacy law, so compliance with CCPA may give organizations an advantage for compliance with other state or federal privacy laws.

If GDPR or CCPA applies to your business, we encourage you to begin your preparation by following the data, starting the paper chase, performing thorough internal documentation review, and identifying which security standards are appropriate for your organization. Contact us today for more information on how to comply with state laws or GDPR.

More Resources

The Cost of GDPR Non-Compliance: Fines and Penalties

10 Key GDPR Terms You Need to Know

What NY CRR 500 Means for Vendor Compliance Management

What is Cybersecurity?

Horror Stories: Facebook Fallout

In late September, Facebook gave a new security update, outlining a breach that has impacted 50 million users – Facebook’s largest breach ever. The social network has been under intense scrutiny this year after the Cambridge Analytica scandal and has been redirecting their security team since the departure of their chief security officer, Alex Stamos. With the midterm elections coming up, this massive breach couldn’t have come at a worse time for Facebook. Users, regulators, lawmakers, and competitors are watching to see how Facebook improves the way it handles the private data of its users and how the social network giant handles this latest breach. Many believe it is time for the government to step in, and others are focusing on the GDPR implications of this breach.

Facebook’s Largest Breach: What Happened?

Even this early on in the investigation, Facebook knows that the attack stemmed from the “View As” feature, which impacted access tokens. Specifically, hackers exploited a combination of three bugs: one in a post composer for birthday posts, one in a new version of a video uploader, and one when using the “View As” feature in conjunction with the video uploader. In their security update, Facebook reported, “When using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user. The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”

To quickly fix the vulnerability, Facebook reset the access tokens of the 50 million impacted accounts, plus reset another 40 million accounts as a precautionary measure. As a result, users had to log back into their account, then see a notification in their News Feed explaining the security incident. Facebook also switched off the “View As” feature during their security review. As the investigation continues, Facebook must provide transparency about three elements of this breach: if accounts or data were misused, who the attackers were, and if third-parties were impacted.

Facebook needs to clearly announce whether accounts were misused or if any private information was accessed during this breach. All we know so far is that the attackers retrieved basic profile information like name, gender, or hometown. Guy Rosen, vice president of product management at Facebook, explained in a press call, “…We don’t know exactly how – which and how – what information we will find has been used. What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts and we’ll update as we learn more…what we also can confirm is that no credit card information has been taken. We do not display credit card information, even to account holders.”

The public also wants to know who these hackers are and who they’re supported by. Guy Rosen explained in a press call, “Given this investigation’s still early, we haven’t yet been able to determine if there’s specific targeting. It does seem broad and we don’t yet know who is behind these attacks or where there’s base – or where they might be based…The investigation is early, and it’s hard to determine exactly who was behind this, and we may never know. This is a complex interaction of multiple bugs that happened together. It did – it did need a certain level in order for the attacker to run this attack in a way that not only gets access tokens, but then pivots on those access tokens and continues to further – get further access tokens using this mechanism.”

Facebook must also investigate if any third-party services that use its single sign-on function were impacted by this breach. So far, Facebook hasn’t found evidence of third-parties becoming compromised. Thousands of companies use this identity provider function, like Spotify, Instagram, Airbnb, Pinterest, GoFundMe, Headspace, and others. Guy Rosen stated that WhatsApp users are not impacted by this breach, but Tinder has called on Facebook for transparency and full disclosure during their investigation to better support third-parties in their own investigations.

Midterm Elections, GDPR Implications, and Facebook’s Reputation

There seems to be two conversations surrounding Facebook’s latest breach: how this attack reflects Facebook’s preparation for the midterm elections and how this attack needs to be handled in terms of GDPR.

With the midterm elections coming up and the Cambridge Analytica scandal in the rearview, users, regulators, lawmakers, and competitors are watching to see how Facebook is protecting itself from election interference. In fact, two weeks before this breach, Mark Zuckerberg posted Preparing for Elections, a blog post addressing exactly that – Facebook’s defense against election interference. It calls for enforcement over fake accounts, the spreading of misinformation, and advertising transparency and verification. It also speaks of coordination with governments and industries across the globe. Zuckerberg wrote, “While we’ve made steady progress, we face sophisticated, well-funded adversaries. They won’t give up, and they will keep evolving. We need to constantly improve and stay one step ahead. This will take continued, heavy investment in security on our part, as well as close cooperation with governments, the tech industry, and security experts since no one institution can solve this on their own.”

In the wake of this latest breach, is Facebook’s defense plan enough?

With GDPR in mind, Facebook notified the FBI and the Irish Data Protection Commission of this breach. Many suspect that if not for the GDPR’s breach reporting requirements, Facebook wouldn’t have notified the public about this breach until there were more details about the scope of who was impacted and where the attack came from. From the Irish Data Protection Commission’s tweets, we can gather that they are not satisfied with the level of detail provided in Facebook’s breach report. Organizations worldwide need to recognize how strict GDPR’s breach reporting requirements are and what penalties they could face.

During a press call, the New York Times asked Zuckerberg, “I’m just thinking back to your testimony in congress and one of the main points you made was if Facebook’s here to serve its users and if you can’t be responsible with user data then you don’t deserve to serve users. And I guess I’m just wondering if you still think you all are able to do that because it just — it seems like a pretty — another pretty big breach of user trust?” This is the exact question so many are wondering. If Facebook takes a hit from any more breaches or incidents, how will users, regulators, lawmakers, and competitors react?

More Resources

Facebook’s Morning Press Call Transcript

Facebook’s Afternoon Press Call Transcript

Twitter’s Election Integrity Update

7 Deadly Breaches of 2018 (So Far)

7 Deadly Breaches of 2018 (So Far)

With the complexity of the current threat landscape, organizations must be more alert than ever to potential data breaches. Who will be next? What happened? What will the fine be? While we’re only midway through 2018, we’ve seen headline after headline from organizations who have come forward to notify their customers of breaches. Let’s a take look at some of the top data breaches of 2018 to learn what went wrong and how you can prevent a costly data breach from occurring at your organization.

Under Armour

The data breaches of 2018 began with a household name. In March, Under Armour announced that it had become aware of a February data breach of its subsidiary fitness and nutrition app, MyFitnessPal. 150 million users’ data was acquired by an unauthorized party, ranging from usernames, email addresses, and hashed passwords. Fortunately, cardholder data was not compromised because that data is collected, processed, and protected separately.

What can we learn from this? Under Armour and MyFitnessPal’s incident response was timely and factual. Four days after discovering the data breach, MyFitnessPal notified their users and gave specific instructions of what to do next: change your password and look for suspicious activity on your account. What is your organization’s incident response plan?

SunTrust

While many data breaches of 2018 were due to malicious hackers, approximately 1.5 million SunTrust customers’ data was stolen by an ex-employee with the intent to share the records with a criminal third party. The compromised records included names, addresses, phone numbers, and account balances, but no PII like user IDs, Social Security numbers, account numbers, PINs, or driver’s license information.

What can we learn from this? Malicious insider threats need to be taken just as seriously as third-party threats. Establishing, implementing, reviewing, and updating policies that determine who has access to your organizations sensitive data is critical. The more employees who have access, the more risk there is. Are you operating on a policy of least privilege? How are you updating access to PII if an employee resigns, is terminated, or promoted?

MyHeritage

Family networking and genealogy provider MyHeritage recently announced a data breach spanning from October 2017 to June 2018. A security researcher discovered a file containing email addresses and hashed passwords on a private server, impacting 92 million users, with no evidence that the information was ever used. MyHeritage reported that no other sensitive information was compromised because users’ cardholder information is not stored on MyHeritage systems and other types of sensitive data (like family trees and DNA data) are stored by MyHeritage on separate systems with added layers of security.

What can we learn from this? While no cardholder information or DNA data was compromised, the breach at MyHeritage underscores the need for organizations (and users) to utilize some type of multi-factor authorization.

Exactis

In late June, a security researcher discovered that Exactis, a Florida-based marketing and data aggregation firm, left its database exposed on a publicly accessible server, leaving the data of nearly 340 million individual records visible. Aside from including basic contact and public information, the data also includes more than 400 variables on a range of specific characteristics: what religion a person belongs to, whether or not they smoke, what hobbies they’re involved with, etc. The company has yet to make a public statement about the breach but secured its database upon notification of the breach.

What can we learn from this? With GDPR compliance on the rise, the Exactis breach highlights the need for marketing firms to think about their data handling practices. This data breach also probes digital consumers to consider their data rights and what type of personal characteristics they want in the public. Phone numbers, home addresses, email addresses, interests and habits, the number, age, and gender of your children – it’s all out there.

Ticketmaster

In June, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. We’ve now discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers, who use the code on their website, and then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. It’s reported that Magecart has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect MageCart’s campaign to be recognized as one of the most damaging data breaches of 2018.

What can we learn from this? The importance of vendor compliance management cannot be overstated. In this breach, TicketMaster’s customer support chatbot vendor was the key MageCart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands; in TicketMaster’s case, they put part of the security of their website in Inbenta’s hands.

Panera Bread

The Panera Bread data breach that came out this year is a bit puzzling, but that’s what makes it so interesting. In August 2017, a security researcher reported a vulnerability to Panera Bread, but the claim was dismissed. Apparently, Panera Bread didn’t even take the claim seriously enough to look into because eight months later, the bakery-cafe announced a data breach of their website that exposed thousands of customer records. This was only after KrebsOnSecurity broke the story, talked to Panera, and got them to take their website offline and fix the vulnerability. Trust us, there was a lot of back-and-forth between Krebs and Panera Bread before the issues were resolved.

What can we learn from this? It’s clear that security alerts and monitoring procedures were not appropriately implemented in this situation. Monitoring is a critical aspect of any information security program.

Timehop

Timehop, a social media memory-sharing app, discovered a data breach where up to 21 million users were affected. The network intrusion occurred because an access credential to their cloud computing environment was compromised from a lack of multi-factor authentication. Within 2 hours of discovering the network intrusion, Timehop responded to the event.

What can we learn from this? Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen after data breaches of 2018. In their security incident report, the company goes above and beyond the norm by apologizing, providing a technical report, outlining the number of GDPR records breached, answering FAQs, defining the terms used, and providing next steps for users.

As the year goes on, stay alert to learn about more data breaches of 2018, what caused them, how to respond, and how to learn from others’ mistakes. Have questions about incident response, breach prevention, or compliance requirements? Contact us today.

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence