BreachExchange mailing list archives
Many companies still behind in safeguarding data
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 27 Oct 2015 19:02:46 -0600
http://finance-commerce.com/2015/10/many-companies-still-behind-in-safeguarding-data/ Three of Minnesota’s biggest industries – health care, financial services and retail – are among the most vulnerable to large-scale data breaches, and security experts say too many companies aren’t doing their part to thwart increasingly sophisticated attacks. Even as data breaches become more commonplace, many companies’ safeguards don’t measure up, cybersecurity veterans said Wednesday at the Cyber Security Summit, an annual gathering of government and private-sector security professionals. A series of high-profile breaches in recent years exposed hundreds of millions of personal records. That includes the information leak that continues to sting Target almost two years after hackers accessed records tied to as many as 110 million shoppers. Fallout from the Minneapolis-based retailer’s breach dragged its stock price down more than 10 percent in the following months and cut its quarterly profits nearly in half. As hackers get bolder, case studies like Target prove there’s plenty at risk for companies that aren’t prepared to handle them. “So many organizations are missing the basics,” Barry Caplin, chief information security officer for Fairview Health Services, said at the Brooklyn Park event. Among the biggest – and potentially costliest – oversights is not requiring third-party vendors and partners to implement tough cybersecurity protocols. Service providers that have access to companies’ records can be the gateway to attacks if they’re not aggressive in their defenses. San Francisco-based Wells Fargo, which has a major presence in Minnesota, and others have begun to integrate provisions into their vendor contracts that require certain security measures be in place. But even with that added protection, companies won’t be safe unless their in-house standards mesh with the way business gets done. Too often, a top-down approach to implementing security policies doesn’t factor in how employees do their jobs, Wells Fargo assistant vice president Jay Spreitzer said. Earlier this year, California-based U.S. Healthworks suffered a high-profile data breach when a company laptop – with a trove of unencrypted patient data on it – was stolen. Even when companies have encryption and other security requirements in place, if they’re onerous for employees, workers often find a way around them. Weighing security processes against day-to-day operations is a necessary move, Caplin said. Generally, that means including a cross-section of employees in security discussions to make sure all sides understand both the risks and functionality of security systems. Especially in industries that deal in highly sensitive information, like patient records, bringing in-house lawyers and human resources representatives to the table is important. “If you don’t do that, it’s a failure,” Caplin said. But even after that, companies’ security platforms can falter if staff members across the business don’t understand how it works. Mandatory yearly trainings typically aren’t enough to ensure employees know how to gauge security risks and spot potential problems. Instead of going through the motions, the most successful companies find ways to incentivize workers to dig deeper into their security policies and encourage them to be on high alert. The more intensive method leads to a lot of false positives, but it also bands workers together into a powerful warning system. With ever-bolder hackers increasingly exposing companies’ vulnerabilities, Caplin said, it’s a vital approach. “This really has been a wake-up call,” he said. “If we haven’t woken up, we really need to.” Across sectors, the looming threat of a breach is beginning to redefine companies’ approach to data security. Though many of them still lag behind, it’s a start. Board members and executives who have been historically reluctant to sink money into security protocols are more aware of the financial and reputational toll a data breach can take. Instead of focusing on the near-term bottom line, they’re playing the long game. In addition, a culture of sharing has redefined the approach to data security. When Spreitzer started at Wells Fargo, he’d get less than a dozen emails per week detailing problems from other banks’ security officers. Now, he gets hundreds a day – enough that his team has had to find ways to automate their review. The same trend is playing out in health care and other industries, where a free flow of threat information allows companies to head off potential attacks by more quickly closing loopholes. For now, that cooperation is the most effective tool for a company looking to lower its risk profile, said Robert Booker, UnitedHealth Group’s chief information security officer. “Collaboration and intelligence sharing and information sharing about each of our companies makes us more resilient,” he said. “I think we all recognize sharing is the only way we’re going to be able to respond as a nation to what’s going on.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Many companies still behind in safeguarding data Audrey McNeil (Oct 28)