Some Ideas, Other than Fines, to Reduce Data Breaches

An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.

The truth might lie somewhere in the middle.

In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.

The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.

Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.

The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.

Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.

What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.

So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:

  1. Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
  2. Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
  3. Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.

While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.

If Your Job Depended On It, How Would You Prevent a Data Breach?

Data breaches are an almost daily event and the problem is getting worse over time (although 2018 may end up being not quite as bad as 2017). If your job as an IT or security professional was dependent on preventing data breaches for your organization (and it very well could be), what steps would you take to prevent them? Here are a few ideas:

  • Understand where your data lives
    Our research has found that many decision makers really don’t know where all of their data is located. This is partly due to poor management of data, but also by the explosion of “Shadow IT” that enables employees to store data on personal devices, their own cloud accounts and in a variety of other places beyond the control of IT. To correct this problem, IT should conduct a thorough audit of every potential source of corporate data and bring it under the control of IT. That’s much easier said than done, but it’s essential if an organization is to regain control of its valuable data.
  • Analyze your data
    After the location of all corporate data is known and brought back under IT control, it should be analyzed as part of a good information governance protocol to determine what can safely be discarded, what data is subject to various compliance obligations, the duplicate data that is being stored, and so forth. This will reduce the volume of data that must be managed and identify what needs to be better protected, leaving less data available to breach.
  • Implement the appropriate access controls
    Implement robust identity access management to ensure that users have access to data only on a need-to-know basis. Implement risk-based authentication to ensure that more valuable assets require a greater degree of authentication than just username and password, but use multi-factor authentication at a minimum…everywhere. Implement user behavior analytics to ensure that anomalous behavior (e.g., unusually large file downloads or accessing sensitive data resources at odd times) is recognized and access to data is restricted, approved or blocked, as appropriate.
  • Train users
    It’s essential to educate users about how to protect corporate data. That means common sense things like not sending sensitive or confidential data without encryption, not using personal webmail or file-sharing services to send corporate data, not clicking on email links or attachments unless the identity of the sender is known and trusted, not visiting inappropriate web sites, not using personal webmail at work, being skeptical of requests delivered through email, not clicking on links in social media posts without first verifying their validity, not logging into unsecured Wi-Fi networks (e.g., at airports or coffee shops) without using a VPN or appropriate controls, not oversharing on social media, and maintaining robust security software on personal devices and networks if they are going to be used to access corporate networks or data resources.
  • Use air gaps wherever you can
    Not everything should be online. Old databases, older archived data and other data sources that are valuable, but rarely accessed, should be air-gapped to prevent breaches of this data.
  • Encrypt devices
    One of the most common sources of data leaks is the loss of laptops and mobile devices that contain unencrypted data. Every device must be encrypted to ensure that even if a device is lost, the data on it will remain inaccessible. Plus, the loss of encrypted data will, in most cases, not trigger requirements under data breach notification laws.
  • Encrypt data
    All data should be encrypted – at-rest, in-transit and in-use.
  • Evaluate your providers
    The typical large enterprise employee more than 1,000 cloud providers in addition to many non-cloud providers. It’s your responsibility to ensure that each of these providers maintains appropriate security controls for your data under their control. Regulations like the General Data Protection Regulation codify these types of requirements, but it’s good to implement this best practice even in the absence of a specific external requirement to do so.
  • Establish multiple and disconnected communications channels
    One of the most financially damaging types of data breach is CEO Fraud or Business Email Compromise, in which a cybercriminal impersonates a CEO or other high ranking official to someone in the organization like a CFO or HR staffer. The recipient will often trust the message and execute the requested action, which might include initiating a wire transfer or sending W-2 data on employees. By establishing a communications backchannel, such as text messaging on mobile phones, the validity of the request can be confirmed.
  • Implement DLP
    To prevent malicious and inadvertent data breaches, implement a data loss prevention (DLP) capability that will inspect outbound emails, file transfers and other outbound content for sensitive data that is being sent without encryption, information being sent to competitors, emails sent to the wrong party, and so forth.

These are just a few ideas that will help to mitigate, if not prevent, data breaches. Of course, every organization should implement a robust information governance program, but these are some good steps that will help to move an organization in that direction.

Are You Governing Your Information Properly?

What is “information governance”? Here are some definitions:

  • TechTarget: “A holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.”
  • Wikipedia: “The set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.”
  • The IG Initiative: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

In short, information governance is about getting value out of information and minimizing the risks associated with managing it.

We are just about to publish a white paper focused on the return-on-investment associated with information governance. As part of that effort, we have conducted a survey with mid-sized and large organizations to determine the state of information governance today. Here are some highlights:

  • Only 52% of the organizations surveyed have an information governance program today, but another 20% plan to do so within the next 12 months.
  • The top three drivers used to justify an information governance program are risk avoidance, the risks associated with meeting regulatory obligations, and, somewhat surprisingly, maintaining or improving employee productivity.
  • Despite the fact that most organizations have or will have an information governance program in place within the next 12 months, most organizations do not regulatory dispose of digital information from file share, SharePoint or related systems.
  • Moreover, most organizations do not have in place a defensible disposition program.
  • More than one-third of the organizations surveyed have had sensitive or confidential content stolen from them. This most often occurs from outside parties, but also a sizeable proportion of insider theft has occurred.

Our focus in the white paper will be on a) why information governance is an essential best practice for any organization, but particularly those with large amounts of sensitive, confidential or otherwise valuable information; and b) how to demonstrate the return-on-investment that can be realized by implementing an appropriate information governance program.

If you’d like an advanced copy of the white paper, please let us know.