Legislative Intervention into Security Preparedness
Steven Cohen, VP Herjavec Group
Last week a US appeals court confirmed that the Federal Trade Commission (FTC) can proceed with its suit against the Wyndham hotel chain. Wyndham was accused of failing to secure customer information and prevent multiple breaches between 2008-2009. The breaches reportedly resulted in 619,000 credit card accounts being compromised and over $10million in losses.
Following the ruling, Wyndham spokesperson Michael Valentino stated that once the discovery process resumes, his firm believes that the FTC’s allegations will be proven to be unfounded. He reinforced the priority placed on safeguarding information and emphasized that, “consumers will be best served by the government and businesses working together collaboratively rather than as adversaries”.
It has been reported that the FTC has settled 53 cases against companies relating to information security. Governments, including the Obama administration, have challenged organizations to be more transparent in how they are collecting data. Canada’s Digital Privacy Act, passed in June of this year, puts the onus on organizations to notify individuals including customers and employees when there has been a data breach as well as report the breach to the Office of the Privacy Commissioner of Canada when it is reasonable to believe the breach creates a real risk of significant harm. Regulations pertaining to this law have not been shared however it is believed that the more efficient an organization is at containing a breach and determining its scope, the less likely a breach will be deemed reportable or require escalation.
Legislative intervention into how organizations protect their customer, employee and corporate data is bound to continue as the threat of cybercrime has become mainstream. At a minimum, organizations should make sure that they have basic security technologies and operational controls in place, including: firewalls, endpoint protection (anti-virus), network security monitoring and visibility, malware detection capability, intrusion prevention. It is important to take a proactive approach to prevention, detection, analysis and remediation. At the end of the day, security isn’t perfect but recent activities have demonstrated that organizations will be held accountable should they not take reasonable steps to ensure they are safeguarding information and are in effect “prepared” for a targeted attack.
Herjavec Group has published a Ten Point Plan for security preparedness as part of our Thought Leadership series. We recommend all business leaders follow the philosophies presented here to ensure their teams are prepared for an Information Security Incident.
- Don’t wait for a breach to get ready.
- Understand your business, and what is critical, important, and meaningful. Document where those important things are stored, how they’re protected, and what the cost and impact is if they’re lost or stolen. Invest in protection to prevent unacceptable losses to the extent the business tolerates.
- Elevate the priority placed on Security Awareness internally and ensure that employees across all levels of your organization understand that it is their job to help support the company’s security posture (this will involve communication, training etc).
- Create policies, procedures and guidelines for handling information security incidents. Create practices for communication, involving your legal departments, staff, law enforcement and customers. Develop and document escalation and authority structures.
- Ensure you have visibility into the critical activity and behavior in your environment. Review how you are receiving and digesting this information, as well as which stakeholders within your organization receive, provide input on, or action the data.
- Make incident detection and analysis a core competency for your information security program. Find a balance for your program goals and spending between preventative, detective and corrective actions. Visibility into the data and events occurring on the network and within the data repositories is critical. Preventative controls can and will fail.
- Develop and understand your capacity for response. Hire, contract or allocate resources that are trained, and have the necessary tools and experience in incident response. Most organizations will be able to develop the capacity to handle and recover from minor incidents. Develop a plan and process to understand and react to extended incidents, or major incidents that exceed the skill level and capacity of internal staff.
- Practice and learn. Even if you are having regular “live-fire” incidents, review your plan yearly and do simulations to create a continuous improvement cycle.
- Leverage expert advice and guidance. In addition to advice from a trusted security advisor, you can learn a lot from SANS Institute IR training or by reading resources like “NIST SP 800-61rev2”.
- Talk early, meaningfully and often, with your executives, with company staff and with contractors about your program’s readiness, your plans for improvement and your capacity for response. While discovering a security incident might be unwelcome, it shouldn’t be a surprise.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003, and it quickly became one of North America’s fastest-growing technology companies. Herjavec Group delivers managed security services globally supported by a state-of-the-art, PCI compliant Security Operations Centre (SOC), operated 24/7/365 by certified security professionals. This expertise is coupled with a leadership position across a wide range of functions including consulting, compliance, risk management & incident response. Herjavec Group has offices globally including three headquarters in Toronto (Canada), New York City (USA) and Reading (United Kingdom). For more information, visit www.herjavecgroup.com.