The State of Connecticut’s Cybersecurity Action Plan

The State of Connecticut recently released a Cybersecurity Action Plan.  This plan makes it clear that if companies don’t start taking cybersecurity and data privacy more seriously, the state, and even the federal government, will be forced to step in and add even more legislation and regulations.  Can your organization quickly identify:

  • the kinds of data it holds, whose data it is, and where it is located;
  • the customers who are supported by a particular computing resource;
  • the internal business processes and functions that are supported by a resource;
  • the controls that are in place to limit access to authorized users; and
  • the dependencies between the different computing systems?

If not, how can your organization expect to show regulators or shareholders that it is taking cybersecurity and data privacy seriously?  The first step in taking cybersecurity seriously is to make cybersecurity make sense. Fathom Cyber can help.

https://portal.ct.gov/-/media/Office-of-the-Governor/Press-Room/20180503-CT-Cybersecurity-Action-Plan.pdf?la=en

 

“Reasonable” is changing for Boards of Directors

Boards of Directors are increasingly being held accountable for the organization’s cybersecurity shortcomings.  Some Board members have been able to hide behind the “business judgment rule” in the past to avoid having to take ownership of cybersecurity.  But that is changing, and it is no longer reasonable for the board to be hands-off when it comes to cybersecurity.

https://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/christopherskroupa/2018/04/19/cybersecurity-and-the-boards-responsibilities-whats-reasonable-has-changed/amp/

 

Creating a Culture of Enforcement

Without the proper cultural changes, any organization-wide efforts are likely to fail.  This is true whether the efforts involve business issues, like creating the right approach to customer service, or regulatory issues, like compliance with ethics laws, data privacy laws, or cybersecurity regulations.  Although many organizations initially try to change their culture, the effort can be monumental, and the repercussions can be tough.  In some cases, the organization’s top performers and senior leaders are the ones most resistant to change.  Is the organization ready to enforce its policies and procedures, even against these “star players”?  If not, the cultural efforts will fail, and the organization will soon return to its old ways.  The article below provides an approach to creating a culture of compliance.

Creating a Culture of Compliance

Cybersecurity and Data Privacy

Make Cybersecurity Make Sense

Most Boards and executives treat cybersecurity and data privacy as though they are the same.  That is a mistake.  Cybersecurity and data privacy are related but distinct concepts, as discussed below.

Cybersecurity

If you ask most people about cybersecurity, they almost always jump right to trying to keep criminal hackers from breaking into a computer or computer network to steal credit card numbers, bank account information, or intellectual property.  But cybersecurity is much broader than that.  The goal of cybersecurity is to prevent unauthorized access to information or resources.  This means that, from an external threat perspective, cybersecurity must also consider issues such as:

  • keeping others from using your online data storage to distribute malware to others, or to store information collected from malware;
  • keeping others from installing software on your computer that mines bitcoins; or
  • keeping others from exploiting poor software coding techniques to place fraudulent orders.

In addition to addressing external threats, Cybersecurity also addresses on internal threats.  This can include issues such as:

  • keeping unauthorized employees from accessing payroll, accounting, or other information;
  • using the organization’s resources for non-organizational purposes (e.g., using a server to host the employee’s internet radio station); or
  • using the organization’s computers for illegal purposes.

Data Privacy

Data privacy deals with how information about an individual, such as their name, phone number, national ID number, etc., is stored and shared.  More specifically, data privacy laws seek to inform the data subject (the person whose data is at issue) about a variety of issues, including:

  • what data is collected;
  • how the data is used;
  • whether and how the data is shared; and,
  • what the data subject can do to have their data removed or “forgotten”.

By being better informed about how their information is stored and shared, the individual can make a conscious decision as to whether to continue to do business with the organization, and whether to request the removal of their data.

Data Privacy Violations Without Cybersecurity Incidents

Most people seem to understand these distinctions, yet they still struggle with envisioning how you can have a data privacy violation without a cybersecurity incident.  Here’s a simple example:

Bill has been binge-watching some cooking videos online, and came across many interesting recipes for different nacho-style foods.  He knows his friends will go nuts for them, so he decides to throw a party next weekend.  He searches online and finds a small vendor (SmokedFishSalt.com) who has the halibut-smoked sea salt that he saw mentioned in one video.  Bill is a very savvy online buyer, and reads SmokedFishSalt.com’s Privacy Policy, which says that they only share information with partners to facilitate the transaction. Pleased with what he reads, Bill places his order, asking for it to be sent Priority Mail.  Bill’s order arrives, and the party is a big success due in no small part to the special salt.  A few days later, Bill begins getting E-mail and postcards from other specialty foods suppliers, including SpikedPotato.com.  So many, in fact, that both his inbox and mailbox are flooded. Bill gets annoyed, and decides it is time to take action.

In the scenario above, if SmokedFishSalt.com uses some of the Postal Services online shipping tools, SmokedFishSalt’s sharing of Bill’s information with the Postal Service is unlikely to be seen as violating the privacy policy.  They are a necessary part of the transaction.  But if SmokedFishSalt shared Bill’s information with SpikedPotato.com, this would likely violate SmokeFishSalt’s privacy policy.  Bill’s information would be exposed without his consent, and this would be a data privacy violation without there having been any kind of cybersecurity incident.

Cybersecurity Incidents Without Data Privacy Violations

Just as you can have data privacy violations without having a cybersecurity incident, you can also have a cybersecurity incident without having a data privacy breach.  As an example, there was a recent news report of a bank that had been hacked.  When the security team investigated, they found that the cyber criminals had installed software on many machines throughout the bank.  From what the security team could tell, the software was “only” mining for bitcoin.  No depositor, account, or other information was being accessed by the software.

Wrapping up

Cybersecurity and data privacy are two separate but related issues.  The issues they cause can, and frequently do, overlap, but an organization needs to carefully consider each separately, and officers and Directors must understand that the organization’s investments in one area do not necessarily equate to investments in the other.