Thoughts from a Discussion on Cybersecurity
added: 10.01.2013, by Mike Spinney
Last week I attended Cybersecurity: it’s not just for IT Anymore, a panel discussion hosted by law firm Mintz Levin. Moderated by Mintz attorney Cynthia Larose, the panel included Heidi Lawson, member, Mintz Levin; Brendan Goodwin, cyber specialist, AIG Property Casualty; Jason Straight, managing director, Kroll; and Peter Foster, executive vice president, Willis Americas Administration.
The panel discussion focused on issues related to risk factors and insurance for data security, but there was plenty of good advice and insight for anyone concerned with protecting valuable information and intellectual property. Thought I would share some notes and thoughts.
• A data breach is not just an IT risk issue; it is an enterprise risk issue.
• Everyone’s a target because intellectual property is a target.
• Most data losses result from compromised targets of opportunity – assets that are not adequately protected.
• Smaller organizations are easier targets because they have fewer resources to spend on information security, fewer internal controls, and are thus less risky for the perpetrators. Cybercrime is now the most common activity for organized crime, surpassing even drug dealing.
• External hacks get the most attention, but the insider threat is a greater risk to organizations, whether malicious access, human error, or other.
• Bad habits, such as the use of simple passwords, common and shared passwords, failure to encrypt, exacerbate an organization’s risk.
• Companies should invest in data loss prevention (DLP) tools and technologies.
• Third parties are common breach sources and must be thoroughly vetted. This includes partners, service providers, vendors, contractors, etc.
• Addressing data security is not just an IT issue. It’s an HR issue, a legal/compliance issue, a business continuity issue, it is related to physical (i.e., paper) assets.
• Process is the most important part of a comprehensive information security program, supported by people and technology.
• Incident response is a commonly neglected aspect of a data breach plan.
• Without executive decision-maker involvement, any incident response plan is useless.
• Prepare and practice data breach response.
• Conduct regular risk assessments and start at the top; executives are not immune to bad security habits and have access to vital corporate data assets.
Some of the costliest mistakes a company can make?
• Failure to consider “event management” costs.
• PCI fines related to non-compliance.
• Failure to encrypt.
• Ignorance of and non-compliance with state data protection laws (i.e., California’s new Health Confidentiality law).
• Overreaction to a breach: improper notification is costly.
Not that there's much new ground broken in any of the above, but I’m always interested to see these kinds of events so well attended. It shows a consistent and significant level of concern about how to keep valuable information, intellectual property, confidential documents, and other data safe.
Data security and data breach laws are not new issues, but there is a real need for education and awareness as the landscape changes. New laws and regulations, new threats and vulnerabilities, new tools and techniques all demand our attention as we seek to protect our valuable data.