Strong data security is not optional

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com.au/article/588801/strong-data-security-optional/

According to the Ponemon Institute’s 10th annual Cost of Data Breach Study,
the average consolidated total cost of a data breach is now $6.53 million
for a U.S. organization, an 11% increase since last year. The study also
found that the average cost per lost or stolen record containing sensitive
and confidential information rose from $201 in 2014 to $217. These facts
alone should encourage every company to tighten its data security policies
and capabilities, but there’s more. Key legal and regulatory changes have
increased the financial risk to companies with lax data security.

Tasked with protecting consumers from unfair and deceptive business
practices, the Federal Trade Commission’s Bureau of Consumer Protection
will now launch investigations if it detects risky behavior regarding the
security of customer data. No actual injury or breach is required.
Companies found to have substandard data security practices may face a
variety of penalties. Recently, despite the lack of documented harm to
clients, R.T. Jones Capital Equities Management agreed to settle charges
that it failed to establish required cybersecurity policies and procedures
before a data breach that compromised the personally identifiable
information of approximately 100,000 people. The FTC also has the power to
investigate discrepancies between a company’s published “terms of use” and
how its data is actually stored and shared.

Since no court has yet ruled that the FTC lacks such jurisdiction, the
bureau has stepped up its consumer privacy activity, and enforcement
actions have skyrocketed. Any organization that deals with consumer
information is subject to an investigation.

At the same time, the law is catching up with the real impact of data
breaches. A truly game-changing ruling in Remijas v. Neiman Marcus has made
it easier for consumers to sue companies after breaches involving their
personal data. Historically, even when sensitive information such as credit
card numbers, birth dates, government ID numbers and medical records have
been accessed, it’s been hard for consumers to sue companies over the
breach. Companies have typically been able to avoid these lawsuits by
invoking a Supreme Court case, Clapper v. Amnesty International. The case,
which was about phone records and national security, required a showing of
a risk of “imminent” and “concrete” injury in order to have standing to
bring suit.

As a consequence of the Remijas case, however, consumers no longer have to
show a risk of imminent and concrete injury in order to file suit, which
means that a company’s failure to properly oversee data and how it responds
to a breach may be sufficient grounds to sustain class actions by affected
customers, whether or not they suffered a financial loss.

In addition to reducing the risk of lawsuits and investigations by the FTC
and the Securities and Exchange Commission, a strong, proactive security
posture can actually save organizations a substantial amount of money.
While companies should assume that data breaches are a new fact of life,
many breaches could have been prevented if the affected company had
implemented simple security controls and best practices. The Ponemon
Institute concluded that a variety of security measures could significantly
decrease the cost of a breach by $7 to $12 per record, a significant amount
when hundreds of thousands or millions of records are involved. “Firms must
adopt written policies to protect their clients’ private information and
they need to anticipate potential cybersecurity events and have clear
procedures in place rather than waiting to react once a breach occurs,”
said Marshall S. Sprung, co-chief of the SEC Enforcement Division’s Asset
Management Unit.

To avoid the costs and rapidly expanding liability associated with data
breaches and a company’s lack of oversight, organizations need to
vigilantly protect themselves and their customers. Here are the key
elements required to establish a strong security posture, reduce the risk
of a breach and limit the damage and cost should a breach occur:

A chief information security officer (CISO) — Having a senior-level
executive responsible for establishing and maintaining an organization’s
data security vision and strategy makes it easier to develop programs, get
them approved and quickly adjust them as the threat environment evolves.
Board-level involvement — When boards recognize that data breaches are a
threat to shareholder value, they help create a security culture and ensure
that reporting includes data security activities.
Employee training — Employees who click on links in malicious email
(phishing and spearphishing attacks) and get duped into revealing personal
information (social engineering attacks) create the highest risk for
organizations. Educating employees on these threats is critical to creating
a strong security posture.
A computer security incident response plan (CSIRP) and team — A CSIRP
ensures that an organization has in place all the processes and procedures
necessary to deal quickly and effectively with a breach. Having a dedicated
CSIRP team ensures that the plan is kept up to date, the responsibilities
under the plan are clear, and the required activities can be initiated
immediately when necessary.
Extensive use of encryption — Encrypted data is of no use to
cybercriminals, and a breach involving encrypted data may have only a
minimal impact on the organization.
Business continuity management (BCM) — The BCM team should be involved in
all incident response planning. In the event of a successful breach, the
BCM team must understand the impact on the business and what steps — and
when — it needs to take to bring the business safely back online.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!