Gretel Egan | January 28, 2018

Opinion The costly impact of data privacy failure

As seen on Information Management...

Data Privacy Day is held annually on January 28 by the National Cyber Security Alliance in an effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust.

The aim of this day is targeted at helping people around the world understand how their personal information is being collected and used – in addition to understanding how they can keep their data safe from cybercrime. Data Privacy Day commemorates the 1981 signing of Convention 108, the first legally binding international treaty related to data protection and privacy; it was first initiated in Europe in 2007 and was adopted in the US and Canada in 2008.

The NCSA is the official champion of Data Privacy Day, and it develops its yearly campaigns with assistance of an Advisory Committee of distinguished privacy professionals to ensure that its activities align with the most current issues. For organizations, the today’s data management and privacy stakes are higher than ever before.

For security leaders, this looks somewhat like a “cause and effect” scenario: lack of security awareness training and risky end-user behaviors can have major financial consequences and other business impacts, including non-compliance implications. There is a bright side, however: organizations can protect their data and avoid costly fines by better managing end-user risks related to phishing and ransomware attacks.

Cause: Careless End User Habits

Risky habits present among working adults come in all shapes and sizes, from high clicks rates on real and simulated phishing emails, to low overall awareness on key threats such as ransomware and smishing (SMS/text message phishing).

The fourth annual State of the Phish Report, recently released by Wombat Security, shows that phishing is still a major threat to be reckoned with. More than three-quarters of the infosec professionals surveyed for the report said they experienced a phishing attack in 2017, and nearly half said the rate of attacks increased since 2016. Couple that with the low levels of cybersecurity knowledge and poor cyber habits also noted among technology users also surveyed for the study, and it’s clear that end-user behaviors pose a serious threat to organizations’ data.

Take general knowledge of ransomware as an example. Despite very regular reports of ransomware attacks in 2017 — including the headline-grabbing global impacts related to WannaCry and NotPetya — the average working-age adult still lacks basic awareness of this type of malware.

The State of the Phish Report found that only 55 percent of UK technology users and 46 percent of U.S. technology users could correctly define what ransomware is. German respondents fared even worse, with only 31 percent of the adults surveyed able to correctly identify the definition of ransomware in a multiple-choice query. And awareness related to smishing is quite dismal; in Wombat’s survey, only 16 percent of technology users were able to correctly identify what smishing was; 17 percent answered incorrectly, and 67 percent of respondents didn’t even hazard a guess.

The implications of these findings on data security are vast. Phishing, ransomware, and smishing attacks regularly compromise data integrity. The State of the Phish Reportfound that 49 percent of infosec professionals experienced a malware infection as a result of a phishing attack in 2017, an 81 percent increase from 2016.

Furthermore, 38 percent of respondents reported compromised accounts as a result of these attacks and 13 percent experienced data loss. Of those surveyed, half of the respondents reported measuring the cost of a phishing attack on their business through the loss of proprietary information.

Infosec teams are doing a number of things to combat phishing threats on the technical side, and these technologies are certainly helpful in preventing some malicious emails from reaching end users. But they can’t stop all attacks.

In the case of social engineering scams, security is left to a binary "do I or don't I" decision by end users. The implications of a wrong decision include: users disclosing sensitive information to an authorized source; users giving outside parties the credentials to access corporate systems (and the data they contain); malware infiltrating a corporate network, which could lead to data exfiltration; or ransomware infecting local and networked devices, rendering data inaccessible and, sometimes, unrecoverable.

As technology continues to evolve and security threats continue to increase, it has become more important than ever for organizations to arm users with the skills and knowledge they need to identify and avoid dangerous emails and text messages.

For infosec professionals, best practices related to phishing prevention and ransomware avoidance may seem like old news; the same can’t be said for the average end user, for whom cybersecurity risks are likely to seem foreign (or be mistakenly classified as someone else’s — i.e., IT’s — problem). Rather than once- or twice-a-year initiatives, its ongoing awareness and training programs that offer the best opportunity to move the dial on end-user risk.

Employees need to be given the opportunity to develop and practice skills over time. Now more than ever, the need for cybersecurity education that makes data protection a daily pursuit has become abundantly clear and difficult to dispute.

Effect: Financial Ramifications and Other Business Impacts

For the security of an organization and its data, the foundation must be laid with a combination of company standards and system controls that mandate acceptable behavior. These standards should outline appropriate end-user behaviors and how to address a security concern properly when one arises.

The end user is the last line of defense when it comes to compliance. They have a direct impact on an organization’s data visibility and must comply with data governance strategies in place to meet regulation requirements.

It is an organization’s responsibility to provide end users with the proper tools for success as the average employee is likely to have only one goal in mind: to get their job done. If end users do not have the proper tools and guidance they need to securely accomplish their goals, they may feel compelled to improvise and seek out workarounds that could put their organization and its data at risk. An example of this improvisation could include the downloading of free consumer-grade applications that share data over unsecure paths.

While there are varying levels of data classification, it is important to identify the level at which each dataset must be protected based on its security level. Restricting access to certain data based on who truly needs access to it and monitoring how these controls are set is critical for all aspects of data management and protection.

As security mandates tighten their grip on global organizations in all industries, it becomes more imperative for businesses to be proactive in protecting their critical information. Now more than ever, there are serious implications for having an untrained end user sitting behind a computer screen, in addition to granting numerous end users access to data that should be heavily guarded.

With many companies and infosec teams working to understand the implications of the EU’s General Data Protection Regulation (GDPR) — which goes into effect on May 25, 2018 — data protection and data privacy has become an even higher-stakes game for many organizations. In developing a top-level data governance strategy aimed at meeting regulation requirements, it is vital to focus on both the personnel and the tools available.

A successful data governance strategy requires IT leaders to assemble the right teams and resources initially, then be willing to enforce the guidelines set forth across the organization to ensure data protection and avoid costly fines.

According to a recent report, The True Cost of Compliance with Data Protection Regulations, conducted by Globalscape and Ponemon, data protection non-compliance expenses rose 45 percent from 2011 to 2017, costing organizations with poor data protection plans an average of $14.82 million annually in non-compliance costs (which, incidentally, is 2.71 times the cost of compliance itself).

The costs associated with non-compliance can be reflected in things such as business disruption, productivity loss, revenue loss and significant fines, penalties, and settlements. These costs extend to all compliance regulations, including HIPPA, PCI DSS, and other state privacy and data protection laws.

Data protection regulations are increasingly complex in nature, due to the increased value and sensitivity of personal and proprietary data. As data becomes more valuable, the risk of data breaches, data loss, cyberattacks, and insider threats becomes a grave and urgent issue.

The pending enforcement of regulations like GDPR demonstrate the new era of complex policies developed to protect data (down to an individual level) from increasingly sophisticated cyberattacks. More data protection regulations and frameworks like the EU’s GDPR are expected to be developed and implemented from other areas of the world, including China and Australia.

Looking ahead: How to Break the Cycle

Some organizations may think that the implications of non-compliance does not apply to them, be it because of their industry or their geolocation. But there are also clear business implications outside of regulatory requirements (which, frankly, are sure to impact every organization at some point in the near or distant future). Even if a breach doesn’t yet carry a fine, a victimized organization is likely to bear the burden of loss of trade secrets, downtime for operations and/or employees, and damage to their reputation (just to name a few). For organizations that also face penalties of non-compliance, it’s a “salt in the wound” compounding pain.

This Data Privacy Day, we encourage you to learn about your end users’ understanding of threats such as phishing and ransomware, and identify areas of susceptibility in your data governance plan. We also urge you to elevate the cybersecurity discussion and make it an end-to-end pursuit for all members of your organizations. Employees need to know about your compliance strategy, but they also need to know how to apply best practice for data protection. Equip your end users with the tools and guidance they need to do their job in a way that meets compliance standards and/or protects your organization from suffering a data breach.

No matter how deep your organization’s pockets might be — and even if you’re not required to comply with GDPR or other current or upcoming mandates — you simply cannot afford to ignore the importance of data privacy and the role of end users in ensuring data is adequately protected.

Read this article on Information Management