With all the news about data breaches, you may think the threat landscape cannot possibly get any worse – but that is the expectation among industry analysts. Cybercrime is expected to double from its 2015 level of $3 trillion to reach $6 trillion by 2021. As these attacks increase, so does the amount spent to defend against them. More than $1 trillion is forecast to be spent on cybersecurity products and services worldwide from 2017 through 2021. Falling victim to a data breach, of course, is far more costly than preparing for one.
Just to look at one industry with critically sensitive data, healthcare is a common target. A total of 2.7 million people’s records were compromised through major breaches reported to the US Department of Health and Human Services (HHS) over six months in 2017, per analysis by Bill Kleyman. Healthcare is certainly not the only industry impacted by data breaches, with 2017 numbers showing 1579 reported data breaches within the following segments:
- Business – 870
- Healthcare – 374
- Finance/Credit – 134
- Education – 127
- Military/Government – 74
Given the massive costs of data breaches and their prevalence across all types of organizations, it is a wise investment of time to prepare for these incidents. Here are five critical steps to get ready for a potential compromise of your systems:
1. Consider compliance, especially to the GDPR.
Your first step in preparation is to look at security from the perspective of compliance –since regulations (General Data Protection Regulation, or GDPR; Health Insurance Portability and Accountability Act, or HIPAA) and standards (Payment Card Industry Data Security Standard, or PCI DSS; Statement on Standards for Attestation Engagements 18, or SSAE 18) offer frameworks for assessment. The GDPR deserves particular attention since it went into effect and applies to all organizations that might process the individual data of European Union citizens (which applies to virtually all websites that collect names, emails, or any other personally identifiable information, or PII).
Internet attorney Andrew Rossow noted just before the enforcement date of the GDPR that many companies based in the United States were revising their privacy policies to adhere to the stipulations of the new law. One particularly important element related to this regulation is that the language of privacy policies should be exceptionally clear so that any consent given by them is straightforward. A basic summary of consent as it is understood by the GDPR is described by veteran IT writer Mark Kaelin:
- Given freely rather than coerced;
- Related to a specific purpose rather than open-ended;
- Informed, as opposed to exploiting what the user may not know;
- Provided in an unambiguous rather than concealed manner;
- Given through a clear statement or act rather than assumed through use of the service;
- Separate from other actions rather than included within the general user agreement;
- Described and bound through an agreement that is simple to access and in clear language rather than difficult to find and in tiny-print legalese.
2. Create and refine your incident response plan.
Some strategies remain the same in 2019 as in years past, as with the development of a routinely tested incident response (IR) plan, recommended by Certified Information Systems Security Professional (CISSP) Sean Martin in 2015. When testing occurs it should be somewhat broad, including two or three different possible attack vectors. The IR plan itself should lay out how your organization will react if a breach is suspected or is confirmed; it should include the specific decision-makers within your organization who need to be alerted and other notifications that must be sent (as to users and affiliates). Testing should incorporate simulations of various breach scenarios including cybercrime and fraud; malicious and careless insider; and advanced threats.
3. Use blockchain and artificial intelligence (AI).
Critical technologies have emerged that can bolster your defenses against breaches. Two technologies that are especially important are blockchain and AI. Rossow had an interesting insight on blockchain – that its core strength is in the sheer amount of computing power that would be necessary in order to crack it, making a breach unviable or unattractive to would-be attackers. Artificial intelligence is critical to online security because AI systems are increasingly adept at detecting any malicious activity. The basic way that these AI systems work is that they are loaded with knowledge of all past forms of malware and are capable of recognizing similar patterns, allowing them to identify new malware based on previous forms.
4. Protect your email system.
Attackers will often go after email, commonly using tactics such as phishing and ransomware. Implementing a traditional gateway is not enough in the current environment, so adopt a high-security email ecosystem, starting with SSAE-18 compliant hosting. Statement on Standards for Attestation Engagements 18, a set of security and procedural guidelines from the American Institute of Certified Public Accountants (AICPA), ensures the strength of your infrastructure. Security monitoring should also be provided, whether through your host or other means. When you use systems and technologies that properly safeguard your email, you can benefit beyond the protection of your customers by leveraging data loss prevention tools to prevent data leakage.
5. Stop data breaches before they start.
You certainly want to be prepared for a data breach in 2019, since there are more of them occurring now than ever before. That starts with meeting compliance and creating an incident response plan for that worst-case scenario of a confirmed breach. However, you can also make use of cutting-edge technologies and pay special attention to your email system to mitigate your risk and safeguard your critical data assets.
This guest blog post is provided by Atlantic.Net, a company providing custom Cloud, Dedicated, and HIPAA-Compliant hosting solutions for organizations in need of simple, fast, reliable, and secure server hosting.
If your organization’s network contains ePHI and you suspect a security incident or data breach has occurred, contact Gillware Digital Forensics for swift and comprehensive investigative support.