It's a New Year and time for resolutions! One to consider is going on the Data Diet. As data continues to be the life blood of business, many nefarious threat actors continue to seek victims to target for ill. To stay vigilant, businesses need to take extreme account and ownership of their data and look for ways to shed unnecessary retention and moderate their consumption.
2019 is all but certain to bring a slew of resolutions for threat actors too, as warned by The McAfee Lab Threat Predictions Report which forecasts an increase in cyber-attacks using a variety of attack vectors and multi-pronged payloads to steal data from unprepared businesses and government agencies. We saw examples of this evolution at the end of 2018 with new variants of Emotet, a traditionally multi-faceted banking Trojan malware, now demonstrating the capability to capture and exfiltrate e-mails from infected systems.
Carrying the momentum from 2017, 2018, further reinforced the proposition that it's not IF a business will experience a data security incident, but WHEN and few are ready for this inevitability. This past year some of the highest profile targets of data security incidents included Marriott, Facebook, Reddit, Coogle+, Quora, British Airways, Cathay Pacific, Orbitz, Ticketfly, Under Armour, OnePlus. The McAfee Lab Threat Predictions Report found 428 threats per minute in Q3 2018.
When taking inventory of the data accessible on your business's network, one effective metaphor is to think in terms of whether you are operating like someone who keeps all of their money in their home, or at a bank. An unauthorized intruder can only take what is left accessible to them. Those who are "data heavy" create leverage for ill-intentioned intruders. This can result in outrageous ransom demands, and exposes your business to a wider net of notification obligations to both individuals and regulators, and may subject your business to fines, penalties and a greater risk of civil litigation.
When tackling data management, first take a breath and compartmentalize your incoming and outgoing data. Follow the data trail so that you can answer the following:
- Who has access to the data;
- What does the data consist of and what is protecting it from unauthorized access;
- Where is the data coming from and where is it stored (online v. offline, locally v. remotely);
- When is the data being used or expected to be used;
- How long will the data be retained;
- Why do we need this data?
You do not want your business asking these questions in the midst of a data security incident. Remember, that the data you take in and retain should be limited to that which is necessary for optimal business productivity and performance. If you do not need it, shed that excess data from your network.
Before the internet, the above-referenced list was much easier to complete and simpler to answer. Today, as your data traverses the commerce landscape it will inevitably involve more intermediaries than ever before and each with their own set of data privacy and cyber security practices. In the course of a transaction, it is not uncommon that someone will likely transmit data constituting Personal Information. With the 2018 passing of breach notification statutes in Alabama and South Dakota, each of our 50 states now have a breach notification statute with various definitions of Personal Information.
We continue to see regulators levy "hefty" and growing use of fines against businesses which lack "appropriate safeguards" to protect their data and Personal Information. This subjective term is used liberally by the FTC, SEC, FINRA, FDIC, and HHS, and can be found codified in statutes or guidelines relating to GDPR, Gramm Leach Bliley, HIPAA and FERPA.
A regiment of the Data Diet will take you through a process that will give you visibility on whether your business is taking measures to implement "appropriate safeguards."
We advise our clients to be proactive when it comes to protecting their data to minimize both risk and exposure. A business New Year's resolution to get to know your data, how it comes in and goes out of your organization and create or update your incident response plan, will allow you to start off the year on the right foot so that you can work towards being in a position to effectively triage and investigate a data security incident with the least amount of risk and exposure.
As with any diet, success will take commitment, and involve challenges, but the end-game will leave your business lean and agile to combat against threat actors who may decide to target your business in 2019
Make 2019 your safest year yet by tackling data issues before a breach strikes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
