by Doug Kreitzberg | Jul 8, 2020 | Compliance, Human Factor, Regulations
The good news: Many companies these days are using cybersecurity controls and security training for their employees. The bad news: A lot of these businesses are putting in the place the bare minimum in order to meet compliance requirements. The truth is, however, the you can be compliant but not secure. Remember the big Target breach in 2013? Hackers were able to take the debit and credit card information of millions are shoppers by accessing Target point-of-sale systems. The irony is that, just months before the attack, Target was certified PCI compliant. In the words of then-CEO Gregg Steinhafel, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Simply put: Target was compliant but not secure.
Creating a Culture
If your security awareness program is a “check the box” compliance program, you can bet your employees are going through the same motions as you are. How has that improved your security posture? It hasn’t. Instead, creating a strong security program is first and foremost about creating a culture around security. And this has to start at the top, with your executive officers and your board. If business leaders set a security-focused tone, then employees will likely follow suit.
The reason a business can be compliant and not secure is because cybersecurity isn’t a one and done deal. Compliance is a state, cybersecurity is an ongoing process that involves the entire organization — from the boardroom to the cubicle. Verizon Data Breach Investigation Report shows that the human factor is the largest factor leading to breaches today. If that’s the case, perhaps instead of checking off the boxes and before investing in that new machine learning intrusion detection gizmo, consider focusing on human learning, engagement and the behaviors that can drive a mindful security culture.
by Doug Kreitzberg | Jul 6, 2020 | Business Continuity, Cybersecurity, Data Breach
Cybersecurity tools are important for lowering the risk of a data breach. However, if those tools are put in place without considering business outcomes, it can harm organizational goals and even, in some cases, cost lives. In the healthcare industry, for example, steps taken to recover from a data breach can lead to a drop in the quality of care. However, no matter the industry, if cybersecurity tools and businesses goals are not aligned, there will almost always be negative consequences for that business.
A study published last year in the Health Services Research Journal found that after a hospital experienced a data breach there was, on average, an additional 36 deaths from heart attacks per 10,000 patients. One of the main factors that contributes to this is a delay in treatment because of new security policies following a breach. Common tools used after a breach include additional sign-in measures such as multi-factor authentication, or automatic logout after a period of inactivity. So if someone comes into a hospital with chest pain, for example, these extra security measures delay the ability for doctors and nurses to register the patient and access health records. This is especially important to consider now, given that hacks against the healthcare industry have risen since the COVID-19 pandemic began.
Of course, this isn’t to say that there shouldn’t be any additional security measures in place after a breach Instead, the point is that it is important to align cybersecurity processes with overall business goals — even when the stakes aren’t as high as saving a life. The key is to begin with your desired business outcomes and look at the cybersecurity risks that can negatively impact those goals. Then, only once you know your specific risks do you design or apply tools that limit those risks without negatively impacting the business. This requires strong governance and communication between IT and business leadership. Failure to focus on the interplay between cybersecurity and business goals both weakens the security posture and weakens business outcomes. And that’s not a prescription for a healthy strategy.
by Doug Kreitzberg | Jul 3, 2020 | Cyber Awareness, Human Factor
When it comes to cybersecurity, our minds usually jump to complicated technical protections that only your IT department understands. And while these safeguards are certainly important, the truth is hackers are increasingly focusing on social engineering attacks to get into our networks. In fact, phishing attacks are now the number one cause of successful data breaches. Employees are therefore often the first line of defense against cyber attacks. That’s why more and more cybersecurity experts are emphasizing the importance of security training for employees. Business owners need to feel confident that their employees are developing online behaviors that keep the organization secure. The problem, however, is that traditional training programs aren’t always successful in achieving these behavior changes. This is, in part, because training programs too often use “gotcha!” methods when employees make a mistake, which only discourages employees instead of motivating them. Organizations should therefore focus on programs that use positive reinforcement in security training.
One popular form of cybersecurity training is phish simulation programs, where employees are spent emails designed to look like popular phishing scams. The problem, however, is that these programs always always rely on the gotcha method. When an employee clicks on a link in a fake phishing email, typically they will see a screen telling them they got caught and are then instructed to watch an informative video. The problem is that this approach causes the employee to associate negative emotions with the training and therefore reduces the likelihood of sustained behavior change. Simply put, this type of training creates a punitive environment that discourages the individual but doesn’t create meaningful change.
Instead, one study has shown that using positive reinforcement in security training actually produces safer, longer lasting online habits. Instead of punishing bad behavior, it’s actually more effective to focus on rewarding behavior you want to see, such as reporting phish: “By focusing on helping people feel successful, the campaign produced a positive result: a 30% reduction in overall phish susceptibility, and for individuals who had already been identified as habitual “phish clickers”, a reduction from 35% susceptivity to 0%.”
The key is the associate positive behaviors with positive feelings. It’s a small thing, but the impact could help businesses save a lot of time and money down the road.
by Doug Kreitzberg | Jul 1, 2020 | GDPR, Regulations
The EU’s General Data Protection Regulation (GDPR), one of the most comprehensive privacy laws in the world, celebrated its two-year anniversary last month. The regulation establishes a range of privacy and data protection rights to EU citizens, such as widened conditions for consent and the right to request companies delete user data, and requires organizations to implement technical safeguards. Along with the regulation comes some pretty hefty fines. Google, for example, received a 50 million euro fine for failing to properly state how they use consumer data. The law also requires that the GDPR commission release a report evaluating the regulation after the first two years, then every four years going forward. In compliance with the law, the commission released their report this month, broadly finding the regulation a success, but also highlighting certain areas for improvement.
Strengths
According to the GDPR report, one of the regulation’s main successes is the increased awareness of the privacy rights among EU citizens, and that they are empowered to exercise those rights. The report found that 69% of the EU population above 16 has heard of the GPDR and 71% know about their country’s nation data protection agency. One issue however, is that this awareness has not fully translated into the use of these rights. The right to data portability, for example, which allows users to obtain and transfer their data, shows potential to “put individuals at the centre of the data economy,” but, according to the report, is still underutilized.
One other area of success is the flexibility of the regulation in its ability to apply to principles of the law to emerging technologies. This has been especially important recently, with the rise of the COVID-19 pandemic and the numerous tracing apps created. The report found that the GDPR has been successful in providing a framework that allows for innovation while ensuring that these new technologies are created with privacy in mind.
Areas of Improvement
Perhaps the biggest area of concern that the report highlights, is the uneven enforcement of the GDPR among EU states. All EU members states except Slovenia have adopted the law. However, the report notes that the law has not been applied consistently across the board. For example, the GDPR allows individual member states to set the age of consent for data processing, but this has created uncertainty for children and parents and made it more difficult for companies that conduct business across borders. The commission has recommended a creating codes of conduct to apply across all member states in order to allow for more consistency between states.
The GDPR report also found that there is some inconsistency when it comes to enforcing the regulations. Overall, the report found that the various data protection agencies were properly using their strengthened enforcement capabilities, but worried that resources have not been evenly divided among the agencies. While some countries that are seen as tech hubs require additional resources, the commission found that the overall budget allocation was too inconsistent.
Taking a step back, the GDPR report largely shows that the new regulation has had a positive impact on the views towards privacy, and has empowered individuals to take control of their information. The law, however, is still relatively new, and will continue to require tweaks to better serve consumers. Privacy regulations continue to be a work in progress, but are at least headed in the right direction.