Posts

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

What is a Risk Assessment? – Learn The 5 Steps to a Risk Assessment

What is the Purpose of a Risk Assessment?

Most information security frameworks require a formally documented, annual risk assessment. You will see this requirement over and over again in your pursuit of SOC 1, SOC 2, PCI DSS, HIPAA, or HITRUST CSF compliance. What is a risk assessment? What is the purpose of a risk assessment, and why is it so important to information security frameworks? A risk assessment is a methodology used to identify, assess, and prioritize organizational risk. Without a risk assessment, organizations can be left unaware of where their critical assets live and what the risks to those assets are. Risk assessments evaluate the likelihood and impact of those threats actually happening, and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack.

One way to look at a formal risk assessment process is your organization is now being proactive rather than reactive. If you have the opportunity to anticipate a potential security incident and address the potential adverse impacts, chances are you will be successful and save your business from any operational and reputational loss.

In relation to a SOC 1 audit, the controls that you select to be tested and described in your SOC 1 report need to be based off of your risk assessment. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address that risk.

What is a Risk Assessment? - Learn The 5 Steps to a Risk Assessment

5 Steps to a Risk Assessment

A risk assessment is a systematic process of evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. The risk assessment process must be a continual, monitored process to be effective. So, where do you begin? The five steps to a risk assessment include:

  1. Conduct Risk Assessment Survey – Input from management and department heads is vital to the risk assessment process. This survey is an avenue to document specific risks or threats within a department.
  2. Identify Risks – The purpose of a risk assessment is to evaluate something like an IT system and ask, what are the risks to hardware, software, data, IT personnel? What are the potential adverse events, like fire, human error, bomb threats, or flooding? What’s the potential for a loss of integrity, availability, or confidentiality in your systems?
  3. Assess Risk Importance and Risk Likelihood – What is the likelihood of a specific event having a negative impact on an asset? This can be expressed subjectively or quantitively (High, Medium, Low or 1, 2, 3).
  4. Create a Risk Management Action Plan – Based on your analysis of which assets are valuable and which threats are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk.
  5. Implement a Risk Management Plan – Now that you’ve completed the first four steps to a risk assessment, you’ve developed an effective way to identify and managed risk. Now, it’s time to train your team and implement these controls.

 

More Risk Assessment Resources

Risk Assessment Guide and Matrix

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Information Security Management Series: Risk Assessment

CFPB Readiness Series: Making Risk Assessment Work For You

What is Risk Management?

Video Transcript

A risk assessment is an important component of an SSAE 18 (recently updated from SSAE 16) because the controls that you select to describe in your report and that the auditor will test must be based on that assessment of risk. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address those risk. We get these questions all the time – What is the purpose of a risk assessment? What are the steps to a risk assessment?What should go into a report? What controls should we have in place? The answer to that is: What risks are you trying to address? That’s part of our process so that we can help you identify what those risks are. Understand the concept of risk assessment and why it’s so important for the SOC 1. That really and truly is the thing that determines what goes into your report.

What is Risk Management?

Humans are constantly considering risk, even when we don’t realize it. Risk management is our response to the possibility of suffering harm or something going wrong…and things go wrong all the time! Car accidents, stolen wallets, unexpected bad weather, burnt dinners. The list could go on and on. We are programmed to manage risk. So how does risk management translate into business?

We believe that the success and operability of your organization depends on how well you manage your unique risks. Risk management is critical to your organization. Risk management is the process of identifying, assessing, mitigating, and controlling threats to an organization. These threats could stem from financial uncertainty, legal liabilities, management, accidents, or natural disasters. Because of the growing information security-related threats, companies’ risk management programs are under intense scrutiny from industry and governing bodies. Protecting digital assets like protected health information, cardholder data, personally identifiable information, intellectual property, or financial statements is a top priority.

Risk management programs consist of performing risk analyses, conducting risk assessments, documenting policies and procedures, building an internal audit program, and creating an actionable risk management plan. All of these elements create a strategy for mitigating your organization’s unique risk.

  • A risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities.
  • A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. A risk assessment should include: conducting a risk assessment survey, identifying risks, assessing the importance and likelihood of risk, creating a risk management plan, and then implementing that plan.
  • Your risk management plan means nothing if it isn’t documented in your policies and procedures. We strongly believe that if something is not written down, it’s not happening. These policies and procedures should define how you mitigate identified risks, and then be effectively communicated to all employees.
  • According to the Institute of Internal Auditors, “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.” An internal audit is conducted objectively and designed to improve and mature an organization’s business practices. An internal audit program provides objective insight into an organization’s culture, policies, procedures, improves efficiency of operations, evaluates risk and protects assets, assesses controls, and ensures relevant regulatory compliance.

Still have questions about risk management? For more information on how we can help, contact us using the form below.

Video Transcript

Today, I’m asked to talk about risk and risk management a little bit and to provide some useful, helpful tips on risk. Many times, people’s eyes glaze over when you say “risk management” and they’re wondering why in the world we would want to talk about risk. Let me tell you: risk is your best friend because you’re doing it all the time, whether you know it or not.

Risk, by definition, is the response to possibly suffering harm or loss or something that can go wrong. Take for instance, you’re doing risk management. My example is the thing that wakes you up in the middle of the night that’s not your dog that has to go out or your significant other that really wants to talk to you, but it’s something that bothers you at work. You know that. It’s something that comes out of the back of your mind, often between the hours of one and three in the morning.

How a Risk Assessment Can Save Your Business

A risk assessment is a critical component of any organization’s infrastructure as they help to create an awareness of risk. In today’s threat landscape, specifically relating to cybersecurity, it’s more important than ever to know where your assets live, fully understand the controls in place to protect those assets, and to test the efficiency of those controls. When trying to understand why it is important to complete a risk assessment, you first must understand how a risk assessment can save your business. Let’s take a look at what a risk assessment is, benefits of a risk assessment, and the steps you should take to complete a risk assessment.

What is a Risk Assessment?

According to NIST SP 800-53, a highly-regarded industry standard, a risk assessment is fundamental to any organizational risk management program and is a methodology used to identify, assess, and prioritize organizational risk. Most information security frameworks require a formally documented, annual risk assessment. Without a risk assessment, organization can be left unaware of where their critical assets live and what the risks to those assets are.

What are Benefits of a Risk Assessment?

First and foremost, it is important to complete a risk assessment because it is mandated by most information security frameworks. By regularly performing a formal risk assessment, you can get a clear picture of where your assets lie and what potential threats might exist. From there, you can assess the likelihood and impact of those threats from actually happening and give yourself an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. Another way a risk assessment can save your business is by being proactive rather than reactive. If you have the opportunity to anticipate a potential security incident and address the potential adverse impacts, chances are you will be successful and save your business from any operational and reputational loss.

How to Perform a Risk Assessment

The purpose of a risk assessment is to identify risks, analyze vulnerabilities, and assess risk likelihood. The risk assessment process must be a continuous process for any organization. So where do you begin? The five steps to a risk assessment are as follows:

  1. Conduct Risk Assessment Survey
  2. Identify Risks
  3. Assess Risk Importance and Risk Likelihood
  4. Create a Risk Management Action Plan
  5. Implement a Risk Management Plan.

For more details on how to complete a formally documented risk assessment, and to learn more about how a risk assessment can save your business, download our free Risk Assessment Guide.