To prevent data breaches, notifications only scratch the surface
A recent Wall Street Journal article positioned that consumers and businesses would fare better if companies that had suffered a data breach were quicker to report it. This leads us to ask. Are data breach notifications the answer to lessening or preventing other data breaches?
For the answer, let’s pivot to healthcare, an industry that knows a thing or two about breach notifications and the importance of the caretaking of protected health information (PHI). If a healthcare organization has a data breach, HIPAA’s Breach Notification Rule requires notification within 72 hours. Compliance with the rule may prevent a HIPAA fine and lead to a faster investigation. However, HIPAA’s Breach Notification Rule does not alone prevent data breaches.
The Wall Street Journal article did hit on a resonating message that portends what’s to come. “More and potentially worse breaches are in our future.” And, “companies will be prodded toward smarter cybersecurity practices and faster reporting of data breaches.”
With that in mind, what lessons can be taken from recent data breaches to help ensure a breach doesn’t happen at your company? Here are five key takeaways from a recent panel discussion featuring LockPath’s Sam Abadir, LogRhythm’s Chris Peterson and Securonix’s Igor Baikalov.
For a sneak peek of what is on the horizon, consider the New York State Department of Financial Services Cybersecurity Regulation, the first of its kind in the United States.
“We will see more laws like the NY cybersecurity law,” said Abadir. “If a law says do five things while prevention says three, you’re going to do the five.”
When there are incidents, regulations aren’t far behind. In fact, the Department of the Treasury, the Federal Reserve System, and the Federal Deposit Insurance Corporation have all proposed regulations similar to NY’s cybersecurity regulation. Embrace what’s coming.
Making the right hire or purchasing the right technology won’t help prevent data breaches as much as changing your internal processes and focusing on training employees.
“An expensive product is useless if you don’t have data governance,” said Baikalov. “You have to have processes in place. Analyzing the logs isn’t enough.”
According to Abadir, technology is great, but if you have archaic processes, you’re behind the ball all the time.
A good marching order would be to document your current processes and identify process owners and responsibilities.You’ll spot areas to shore up or change completely. A better handle on internal processes sets your company up to manage the plethora of vulnerabilities and risks that come with data breach prevention.
Just assessing your assets can be illuminating. “You should know the totality of assets. You might be missing 10 to 20 percent of the assets,” said Abadir.
Preventing data breaches calls for change management. That’s a big challenge for any company, requiring tone at the top, a cross-functional team, and a mandate bordering on a moon shot. During your program’s early stages, look for that low-hanging fruit.
“Security teams are spread super thin,” said Peterson. “Get to a base level for critical infrastructure. Show value and expand from there.”
How many change management programs have you seen come and go without lasting change? Data breaches have serious consequences. Make change stick by sticking to proven strategies like plucking low hanging fruit.
Win over management
The panel discussion sang from the same hymnal in their assessment that IT management is challenged in communicating IT risk and cybersecurity to executive leadership.
Abadir: “Being able to message risk effectively is not a skill shared across the board.”
Peterson: “Management is enamored with the quick fix.”
Baikalov: “We need to present risk in a way that management understands.”
What’s true in the past and present isn’t the future. Already corporate boards are asking management about IT risks, vulnerabilities, and threats that could lead to data breaches. This will have a powerful influence on company management to address the issue. If you don’t raise the issue, it will find you. Be ready and translate your IT message to the language of business.
When, not if
Like it or not, data breaches are going to happen. If you focus on regulatory compliance, change management, process documentation, look for low hanging fruit, and win over management, you’ll be better prepared when, not if, a data breach occurs.
After the recent Equifax data breach, the company has stepped it up with its actions, including creating an Equifax Trusted ID website, an op-ed mea culpa in the Wall Street Journal, and a new lifetime service for control over personal credit card data. Many of these actions may well find their way into future regulations governing data breaches.
While data breaches are currently in the news, their impact requires a long-term view.
Abadir believes we won’t see anything real and concrete from Equifax’s data breach for a year. “We’re two years to impact, and the long-term consequences are in five or more years.” Hackers will seek to cross-check and verify data for spear phishing, as well as use the data for years to come.
The lesson here is data breaches aren’t going away. Embrace the new normal and ramp up for business in a digital world filled with promise and peril.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.