It’s the gifting season and on the business front, there’s no better gift to give yourself and your company than improved cyber maturity to meet 2018’s cyber-related security challenges. We asked some TSC Advantage experts for their ideas on ways to bestow enhanced security to your organization.
Finally Tackle Third-Party Threats
Kelly Felder, Threat Analyst, CISSP, CTPRP
Data breaches by third parties continue to rise, and with them, threats to your organization’s intellectual property, customer information, and company reputation. According to a Ponemon Institute study, 2017 saw an increase of 7% in third-party breaches from the previous year, with 56% of respondents reporting that their organizations had been breached through a third party.
Big names such as Duke Energy, Uber, and Netflix revealed third-party breaches in 2017, leaving behind the well-known and highly publicized Target and Home Depot breaches. In many organizations, including those in highly regulated sectors, awareness of risks has not translated into action. You may still be asking, “How do we protect ourselves when we rely on so many connected third parties to conduct business?” You can start by making sure your third-party risk management includes the following:
- Understand the risk of outsourcing. Before you make the decision to outsource, make sure your organization understands the risk associated with giving access – know the type of data, the volume, and the sensitivity of the data involved.
- Know who you are getting in a relationship with. It is not enough to rely on a vendor’s reputation, recommendation, or financial standings; rather, you must understand the security posture of the third party before you enter into any agreement. There are efficient and economical tools (including TSC Advantage’s Secure Halo) to assess vendors’ security controls and rate the most at-risk among a portfolio of vendors or suppliers.
- Protect your organization. Build security into contract terms. While Service Level Agreements (SLAs) are important for defining the service provided and the reliability of that service, they are not enough when it comes to security. Organizations should seek to include terms surrounding incident response and breach notifications, business continuity and disaster recovery, audit rights, and the use of subcontractors, to name a few.
Read our third-party cyber risk white paper for a three-part framework on viewing risk, specific questions to ask vendors, and steps to take before moving to the cloud.
No More Procrastinating – Get Ready for GDPR Requirements
Jerry Bujno, CISA, CISM, CISSP, PMP, ITILv3, CCNA, ISO/IEC 27001:2013 Lead Auditor
The European Union (EU) gave businesses and public bodies two years to prepare for the General Data Protection Regulation (GDPR). Now its enforcement date is quickly approaching: May 25, 2018. Still don’t know why you should care? Well, if you offer goods and services to, monitor the behavior of, or process and hold the personal data of those residing in the European Union, this applies to you. Your company’s location is not a factor.
What you need to know:
- There are potential financial impacts of non-compliance – penalties of 4% of Annual Global Turnover or 20 Million Euros, whichever is greater, can be applied.
- Breach notifications are mandatory in all EU States where the data breach is likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of first becoming aware of the breach.
- Data subjects have numerous rights:
- to confirm whether or not their personal data is being processed, where it is processed and why, along with requesting a free copy of data being processed.
- to be forgotten or have personal data erased, cease dissemination of the data, and have third parties halt processing of the data. This is all under conditions of erasure such as data no longer relevant to the original purpose for processing or the data subject withdrawing consent. Note: Requests must be balanced by a subject’s rights and the public interest in the availability of the data.
- to receive personal data in a commonly useable format and transmit that data to another controller (data portability).
The penalties for procrastination on compliance are coming, since there has already been a two-year grace period. There is still time to get your house in order. The more time that passes without action translates to greater business impacts.
Fortify Security to Protect Your Brand Value
Ben Bruno, Communications/Marketing Specialist
In some organizations, there is a disconnect between customer expectations around security and how senior management and boards view its tie to company revenues and reputation. A Ponemon study said while it’s critical that the C-suite address consumer expectations, more than a third of IT practitioners and chief marketing officers “don’t believe their senior management understands the importance of preserving the company’s reputation.”
Studies have recorded customer loss and stock price declines after businesses announce a data breach. But they also reveal important lessons:
- Proactive cybersecurity is a good investment – Ponemon says “companies are less likely to see a decline in stock prices if they have a strong security posture through investments in people, process and technologies.” In other words, companies with a robust security posture who quickly responded to the breach saw their stock value return to its previous price after seven days, on average, whereas companies with a poor security posture who did not respond quickly to the breach saw the decline of their stock last more than 90 days, on average.
- Publicly traded companies are not alone in what they have to lose from a data breach. All organizations are subject to lawsuits and settlements, regulatory fines, external communication costs, and cybersecurity investments that require additional time and money. These are resources that could be saved by having the proper security measures in place prior to a breach occurring.
- Real jobs are on the line. Just look to Uber for an example of how not to handle a cyber incident and the jobs lost as a result. While today’s consumers may feel that their data has likely already been shared, they also expect businesses to take cybersecurity threats seriously, both before and after a breach.
The year ahead will undoubtedly bring a continued barrage of cybersecurity challenges. Organizations that give themselves the gift of proactive security will be stronger and more resilient in 2018.