Many companies still behind in safeguarding data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://finance-commerce.com/2015/10/many-companies-still-behind-in-safeguarding-data/

Three of Minnesota’s biggest industries – health care, financial services
and retail – are among the most vulnerable to large-scale data breaches,
and security experts say too many companies aren’t doing their part to
thwart increasingly sophisticated attacks.

Even as data breaches become more commonplace, many companies’ safeguards
don’t measure up, cybersecurity veterans said Wednesday at the Cyber
Security Summit, an annual gathering of government and private-sector
security professionals.

A series of high-profile breaches in recent years exposed hundreds of
millions of personal records. That includes the information leak that
continues to sting Target almost two years after hackers accessed records
tied to as many as 110 million shoppers.

Fallout from the Minneapolis-based retailer’s breach dragged its stock
price down more than 10 percent in the following months and cut its
quarterly profits nearly in half. As hackers get bolder, case studies like
Target prove there’s plenty at risk for companies that aren’t prepared to
handle them.

“So many organizations are missing the basics,” Barry Caplin, chief
information security officer for Fairview Health Services, said at the
Brooklyn Park event.

Among the biggest – and potentially costliest – oversights is not requiring
third-party vendors and partners to implement tough cybersecurity
protocols. Service providers that have access to companies’ records can be
the gateway to attacks if they’re not aggressive in their defenses.

San Francisco-based Wells Fargo, which has a major presence in Minnesota,
and others have begun to integrate provisions into their vendor contracts
that require certain security measures be in place. But even with that
added protection, companies won’t be safe unless their in-house standards
mesh with the way business gets done.

Too often, a top-down approach to implementing security policies doesn’t
factor in how employees do their jobs, Wells Fargo assistant vice president
Jay Spreitzer said.

Earlier this year, California-based U.S. Healthworks suffered a
high-profile data breach when a company laptop – with a trove of
unencrypted patient data on it – was stolen. Even when companies have
encryption and other security requirements in place, if they’re onerous for
employees, workers often find a way around them.

Weighing security processes against day-to-day operations is a necessary
move, Caplin said. Generally, that means including a cross-section of
employees in security discussions to make sure all sides understand both
the risks and functionality of security systems.

Especially in industries that deal in highly sensitive information, like
patient records, bringing in-house lawyers and human resources
representatives to the table is important.

“If you don’t do that, it’s a failure,” Caplin said.

But even after that, companies’ security platforms can falter if staff
members across the business don’t understand how it works.

Mandatory yearly trainings typically aren’t enough to ensure employees know
how to gauge security risks and spot potential problems. Instead of going
through the motions, the most successful companies find ways to incentivize
workers to dig deeper into their security policies and encourage them to be
on high alert.

The more intensive method leads to a lot of false positives, but it also
bands workers together into a powerful warning system. With ever-bolder
hackers increasingly exposing companies’ vulnerabilities, Caplin said, it’s
a vital approach.

“This really has been a wake-up call,” he said. “If we haven’t woken up, we
really need to.”

Across sectors, the looming threat of a breach is beginning to redefine
companies’ approach to data security. Though many of them still lag behind,
it’s a start.

Board members and executives who have been historically reluctant to sink
money into security protocols are more aware of the financial and
reputational toll a data breach can take. Instead of focusing on the
near-term bottom line, they’re playing the long game.

In addition, a culture of sharing has redefined the approach to data
security. When Spreitzer started at Wells Fargo, he’d get less than a dozen
emails per week detailing problems from other banks’ security officers.

Now, he gets hundreds a day – enough that his team has had to find ways to
automate their review. The same trend is playing out in health care and
other industries, where a free flow of threat information allows companies
to head off potential attacks by more quickly closing loopholes.

For now, that cooperation is the most effective tool for a company looking
to lower its risk profile, said Robert Booker, UnitedHealth Group’s chief
information security officer.

“Collaboration and intelligence sharing and information sharing about each
of our companies makes us more resilient,” he said. “I think we all
recognize sharing is the only way we’re going to be able to respond as a
nation to what’s going on.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!