Data breaches are happening at an alarming pace and, just as disturbing for those trying to head them off, there is no common denominator cause. Fortunately, adopting a best-practices approach can help your company gain a competitive advantage in protecting all the data you house and use: your own, your employees,’ and your customers’.
To give some idea of the problem and its rapid escalation, 2018’s 12,449 reported data breach incidents represent a 424% increase over the number of incidents reported in 2017. Why are these incidents escalating at such a disconcerting rate? There are many reasons.
Many companies still do not have a handle on the types of data that reside in or transverse their networks. Nor have they determined the source of the data, assigned data custodians, or established effective data security controls based on least privileges.
Furthermore, many organizations do not have mature processes for performing due diligence of the third-parties that collect, store, or process data on their behalf. The lack of effective IT controls such as database encryption, as well as corporate governance oversight, has resulted in increased vulnerabilities susceptibility.
It should come as no surprise that both the Payment Card Industry (PCI) and Healthcare industries are highly susceptible to Advanced Persistent Threats (APTs), as these industry sectors are constantly targeted by hackers. For many years the PCI was most susceptible to data breaches, given the high resale value of credit card numbers on the black market. Recent history has proven that healthcare providers, which are responsible for protecting the most sensitive personal data, are becoming more susceptible to significant data breaches.
With hackers realizing the greater intrinsic value of Electronic Protected Health Information (ePHI), the pendulum has shifted, the result being many covered entities and medical groups are not readily equipped to address unexpected cybersecurity events. Still, they continue to place greater reliance on ePHI data processing systems.
Unfortunately, the maturity of the supporting physical and technical (including cybersecurity) controls may be ad-hoc or non-existent. This is a concern given that unrestricted access to systems that process ePHI can result in ransomware attacks. Subsequently, the consequences to patients can be dire when critical diagnostic information is held for ransom.
Fines imposed by the European Union under GDPR or by other entities such as the U.S. Department of Health and Human Services Office for Civil Rights might be an effective motivational factor for large companies to establish effective IT controls, especially because these fines can require up to 4% of an entity’s annual revenue to be paid. However, after taking into account the monetary penalties that may be incurred after the data breach is reported to the authorities, smaller companies may have second thoughts about reporting a data breach incident. Consequently, these regulatory fines may not be a sufficient deterrent. Nevertheless, a single data breach incident during 2018 cost U.S. companies approximately $7.91 million dollars. For this reason, it is worthwhile and cost effective to proactively establish IT controls which may detect and prevent a breach from occurring.
So, what else can be done to deter threats? Threat frequencies may decrease when preventative security measures and restrictive access controls are established. These measures must be supported by operational processes that are repeatable, measurable, and manageable. Combining these measures with periodic independent assessment procedures by subject matter experts is a step in the right direction.
However, establishing holistic and sustainable risk management processes will require the adoption of an IT controls framework such as The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework. NIST’s holistic approach provides for preventative and detective controls, including reactionary procedures to implement in the event of a breach. What’s more, adopting Center for Internet Security Controls will provide for advancing threat prevention and detection techniques.
Once a framework has been adopted, it must be supported by strong people, processes, and technologies. If social awareness techniques are not instituted within an organization, the employees will continue to be susceptible to malicious attempts (e.g., phishing emails), which can result in unauthorized access to critical technologies and personal information. Some of this personal information can include health records, social security numbers, and genetic data.
Proper threat deterrence requires teamwork, an understanding of inherent threats to an organization, coupled with effective mitigating and IT governance controls, and timely incident response procedures.
Successfully combatting APTs and preventing data breaches requires an understanding that threats are always present, risks need to be evaluated on a continuous basis, and the frequency of attacks will vary over time. Businesses that understand these concepts will have a significant competitive advantage as a result of having sustainable and recoverable IT operations.
Then sign up to receive our weekly Financial Poise newsletter, our take on the most relevant and topical business, financial and legal issues affecting investors and small business owners.
Always Plain English. Always Objective. Always FREE.
Adam Sarote has more than 20 years of consulting experience in Audit, Information Security, Enterprise Risk Management, and Regulatory Compliance. At Cybersecurity, Risk, and Compliance, LLC (“CSRC”), Adam provides oversight of their cybersecurity, risk management, IT audit, and compliance management practices. Adam is a proven Information Technology and Cybersecurity Leader. His diversified expertise includes business…
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.