With the publication of proposed fines by the UK’s Information Commissioner’s Office (ICO) in the news, it’s time for every organization that holds personal data on consumers or employees to take stock of its protection programs. Given the substantial increase in fines permissible under the General Data Protection Regulation (GDPR), breaches can be very expensive indeed.
Make no mistake about it – there is no 100% safe solution that can guarantee a breach won’t happen, and anyone who says they have the answer is, unfortunately, lying to you.
In both automated and manual processing, there’s always risk. A hacker can exploit a previously unknown flaw in the software you use and bypass your security. A fast-talking criminal can trick an employee into divulging confidential information. A business partner or vendor can have a problem not of your making but involving your data, putting your organization at risk of legal and reputational damage.
So, if perfect security is impossible, should we abandon all hope? Of course not. But we do need to put our egos aside and ask this question: Are we doing the right things to protect the data entrusted to us?
Given the magnitude of penalties (financial, reputational, etc.) involved, our experience is that this matter must be taken extremely seriously at the board of directors and C-suite levels. It cannot be delegated solely to your technology or human resources staffs. And, just getting a report from your technical or HR staff to the effect that “everything’s OK. Don’t worry!” is not a reasonable level of oversight or governance. What organizations need is a defensible cyber security strategy.
Defensible Cyber Security Strategy: “Stop, Look, Listen and Act.”
A defensible strategy is built on
- a meaningful understanding of the data the organization holds and the various threats to that data, and then
- proactively taking informed and effective measures to protect data and detect attacks or losses in a timely way.
By documenting its collective data protection efforts, the organization can build and have ready a defensible narrative when an incident occurs. You can think of building a defensible strategy in terms of “Stop, Look, Listen and Act.”
Famously, in 2002, Bill Gates halted all work on Microsoft operating systems development for a week to focus everyone’s attention on security. The first challenge in reviewing security over sensitive personal information is to make everyone in the organization understand that the board and senior management are serious about security. If employees perceive it to be just another fire drill, they won’t provide the in-depth and thoughtful information needed to make key decisions.
The essence of the STOP step is to make it crystal clear that when it comes to security, business as usual is unacceptable. Now is the time to communicate a dedication from the top to getting security right and devote the attention and resources necessary to ensure the company’s security approach is effective and defensible.
Getting it right requires specialized knowledge and experience that often is not available within the organization. Sometimes, internal experts are hard-pressed to criticize ineffective processes that have been endorsed by their bosses. These challenges are leading many boards to opt for an independent expert to advise them. An external specialist may bring insight from dealing with hundreds or even thousands of actual breach events. But it’s also important to note that some independent experts have close ties to specific solutions – they may, for example, recommend installation of hardware or software on which they make a profit. With full disclosure, that may be acceptable because the client can then determine how much of the specialist’s recommendation is colored by the desire to sell their hardware or software. Working with a technology-agnostic adviser may be a better solution.
Getting the right answers requires asking the right questions. It’s not enough to examine standards, policies and procedures, although a review of each of those is vital. You also have to examine the audit and compliance tools that should tell you whether rules and guidelines are being carried through in real-life operations. Often we find that security measures that make sense and appear comprehensive are not followed in practice.
Experience indicates that standards within an organization that aren’t implemented but which could be described as “aspirational” are damaging because they indicate to regulators and courts the company knew what it should be doing but didn’t do it. One vital component of the LOOK phase is to build a data map, so you know where the sensitive personal data is located and used. In some cases, the data may be in the hands of an outside entity – such as a cloud storage or cloud processing provider – but it’s still your responsibility.
Start by understanding that when you take a deep dive into how security related to sensitive data works in your organization, you may not expect the answers you get. You may be surprised. You may be unhappy with what you hear. But integrating the advice and recommendations of independent experts with feedback from your IT, HR, internal audit, compliance and risk management (insurance) teams can provide the information you need (and have a right to expect) in making decisions regarding security gaps and how to realistically address them.
There are no magical solutions available. Assuming you find issues that require remediation (and you should expect that you will find such issues), you need to assess them; determine the resources that you can devote to improving security; develop a prioritized plan for filling the gaps and improving your documentation and processes; and get the process started! We’ve found that identifying “quick hits” that can remediate problems quickly and with limited resource expenditure represent good initial steps, demonstrating that the company is serious about getting it right.
Resources are going to be needed, and they may not have been budgeted for. Management needs to recognize that simply saying “we’ll take it into account when developing next year’s budget and see what resources we can apply to the issue” isn’t what we (and the regulators) are looking for. You need to demonstrate commitment. This may mean freeing up potentially significant resources to remediate wide-ranging weaknesses. An objective measuring tool is also necessary to track actual improvements and ensure that security plans are implemented. Finally, insurance should be a part of your overall thinking because there will always be risk.
What Regulators and Stakeholders Expect
No one, including privacy or security regulators, government investigators, auditors or insurance underwriters, expect perfection. It simply isn’t achievable. But in the event of an incident, they will expect your organization to have taken some specific actions that underpin a defensible cyber security approach:
- Performed an objective risk assessment;
- Identified the risks to your sensitive personal data;
- Prioritized your remediation plan;
- Provided reasonable resources and leadership; and
- Improved security when and where appropriate.
Additionally, there’s a growing trend for data breach laws and regulations globally to require effective notification to those whose data is compromised. Doing so potentially requires the preparation and mailing of tens or hundreds of thousands of notification packets containing notification letters, frequently asked questions, information about company-provided credit monitoring, etc. This is not an easy task, and one that requires both experience and proven capability. Given the limited time provided under the laws and regulations to perform notification, companies should consider identifying, interviewing and selecting a breach notification vendor with global capabilities before an incident occurs.
The fines recently notified by the UK ICO should be a strong motivator to revisit and review your data protection program today through a sharper lens. But remember, your reaction and response to the challenges must be well thought out and objective and result in actual improvements. Don’t ignore the problem, or accept that everything’s OK and that you have nothing to worry about. After all, that’s exactly what cybercriminals are counting on.