Government intrusion of data privacy continues to be a global issue, as a British court recently ruled that UK security agencies illegally collected citizens’ data for 17 years. Also in recent GRC news: Facebook joins the list of businesses adopting the Privacy Shield framework and more businesses are considering regulatory technology as compliance pressures increase.
Court: Citizens’ personal info illegally obtained by UK security agencies
A British court has ruled that UK citizens had their personal information unlawfully collected by multiple UK security agencies for 17 years. Britain’s investigatory powers tribunal ruled that MI5, MI6 and the Government Communications Headquarters were all implicated in the illegal actions. The agencies “failed to comply with article 8 protecting the right to privacy of the European convention of human rights” between the years 1998 and 2015, The Guardian reported.
Data obtained by the agencies included personal phone and web communications, as well as medical records, tax records, financial data and biographical information.
In 2014, UK security agencies were accused of illegal bulk data collection by groups that included Privacy International and Amnesty International. A New York Times editorial about the accusations noted that the British government neither admitted nor denied the allegations of mass surveillance.
Facebook adopts EU-U.S. Privacy Shield agreement
Facebook has adopted the EU-U.S. Privacy Shield framework, an agreement regulating how U.S. companies transfer EU citizen’s data electronically across international borders, The Telegraph reported. The Privacy Shield compliance requirements will apply to Facebook’s existing targeted advertisements that gather users’ data from other companies, as well as Facebook’s new Workplace application.
The Privacy Shield framework replaced Safe Harbor after the European Court of Justice overturned the agreement in 2015 due to concerns that it was enabling U.S. surveillance, according to The Telegraph. The court ruled that each country in the European Union should be able to decide how their citizen’s online data can be gathered and utilized.
As compliance pressures mount, businesses turn to regulatory tech
Government spending in the post-financial crisis world helped not only economies grow, but “government contracts, emerging market exposure and third-party agents” have also put pressure on companies’ from a regulatory compliance perspective, TechCrunch reported.
The increase in compliance and regulations has led to the coining of a new industry buzzword: regtech, which, according to TechCrunch, describes technologies dedicated to “creating solutions that ease the burden of compliance.”
One example where regtech can be of regulatory compliance assistance is identity management. “No number of new government committees and task forces will be able to protect businesses and organizations if they don’t know, on the most basic level, with whom they are doing business,” TechCrunch reported.
Snap, Inc., the company behind the popular photo and video messaging app Snapchat, is releasing a pair of photo and video-capturing glasses that have some worried about the possible privacy implications of such a device. Also in recent GRC news, an NSA contractor was arrested after being suspected of hacking foreign governments, MasterCard launched a facial-recognition payment-authentication app in Europe and the candidates talked cybersecurity during the latest presidential debate.
Snapchat rebrands, releases first piece of hardware
The company formerly known as Snapchat has been rebranded as Snap, Inc., and is entering the hardware market with the release of image-capturing sunglasses called “Spectacles.”
Users of Snap, Inc.’s Spectacles can record a video by tapping on a button located on the top left of the frames, according to The Verge. Google Glasses were considered a major flop by some, with privacy being cited as a major reason for the failure because individuals would not know whether they were being recorded by Glass users. Spectacles attempt to resolve that issue with outward-facing lights on the cameras: Individuals in users’ fields of vision are notified that a recording is in progress by a ring of lights around each camera located on Spectacles’ lenses.
But despite these precautions, questions are being raised about the potential regulatory and privacy ramifications surrounding Snap Inc.’s first piece of hardware, according to the Wall Street Journal. Even with lights to alert others of a recording, there will likely still be questions about whether users have the ability to secretly record others using Spectacles.
NSA contractor arrested
A former N.S.A. contractor was arrested by the FBI after being suspected of stealing and disclosing highly classified computer code developed by the agency to hack foreign governments, the New York Times reported. The contractor, Harold T. Martin III, reportedly worked for consulting company Booz Allen Hamilton. This event marks the second time a contractor from Booz Allen Hamilton has stolen information while working for the NSA, with the first being Edward Snowden in 2013, according to the Times.
The arrest highlights the ongoing issue of cybersecurity threats facing governments and individuals worldwide. In August, the NSA was hacked by a group called the Shadow Brokers who stole a “cyber arsenal” of hacking tools from the security agency, according to the Washington Post.
MasterCard launches facial-recognition payment app
Apple sparked the biometric payment authentication race with its release of the fingerprint scanner for Apple Pay in 2013, and now other companies are following suit. MasterCard has launched a biometric authentication app in Europe that is informally dubbed “selfie pay.” The app is formally known as MasterCard Identity Check, and allows users to confirm payments through the use of their smartphone’s fingerprint scanner or camera using the app’s biometric authentication software, according to TechCrunch.
Engadget reported that MasterCard has already thought of ways that possible hackers might try to get past the biometric authentication, such as holding up a picture of someone else’s face. To prevent any such breaches of security, the app requires users to blink once before the authentication is complete to make sure they are indeed a real person.
Trump and Clinton talk tech, cybersecurity
As concerns about foreign intervention in the presidential election continue, candidates Donald Trump and Hillary Clinton are speaking out about their cybersecurity plans for the country if elected.
Trump, who has drawn scrutiny for his thoughts on the Internet, said during the debate that cyber-attacks from Russia, North Korea and China are, “our most critical national security concerns.”
Clinton, who has been called, “technophobic” by some for the way she dealt with her private email server situation, said that the United States must become tougher on cybersecurity matters and called for companies to increase cybersecurity technology investment, the San Francisco Chronicle reported.
When Anndorie Cromar received a call from Child Protective Services that they were coming to take her children away, she was flabbergasted. She was unaware that her medical identity was stolen and was used by a pregnant woman to cover pregnancy costs at a nearby Utah hospital. The agency took custody of the pregnant woman’s infant that was born with drugs in her system and the officials assumed Cromar was a drug addict whose other children were in danger. Cromar had to take a DNA test to get her name off of the infant’s birth certificate, and it took years to correct her medical records.
Cromar’s case is used as an example in a recent report by the Institute for Critical Infrastructure Technology (ICIT) to show how hackers are increasingly targeting the healthcare sector organizations for electronic health records (EHRs) that can be sold and resold on the deep Web.
The cybersecurity think tank is hosting a Senate briefing on the report in Washington D.C. tomorrow to expose the impact stolen EHRs have on victims, and why organizations in the healthcare sector should beef up their layered security.
“This briefing initially will be a trickle-down conversation; we are going to start with the actual stakeholders in the federal critical infrastructure space and then they are going to take that back and start working this information into the conversations that they are having within their localized microcosm,” said James Scott, an ICIT senior fellow who co-authored the report with ICIT researcher Drew Spaniel.
Cyber criminals go after EHRs because of their value and also because organizations in the healthcare sector fail to properly secure their systems, according to the report titled Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims. Stolen EHRs can be used for a wide range of fraud, from paying for medical expenses to creating new medical identities.
The report highlights a survey conducted by the Healthcare Information and Management Systems Society, which surveyed 119 acute care facilities and 31 non-acute care providers. The survey found 32% of acute care facilities and 52% of non-acute providers do not encrypt data in transit, and 39% of acute-care facilities and 52% of non-acute facilities do not encrypt data at rest. Without encryption, data is more vulnerable to attacks. To make matters worse, not all acute-care facilities and non-acute providers had firewalls in place, the survey found.
“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched,” according to the ICIT report.
This makes healthcare organizations’ forage into IoT vulnerable as effective security layers cannot be applied properly, making them easily targetable by hackers. The lack of both cyber-hygiene and endpoint security by healthcare providers allows even the most unsophisticated attackers to easily steal patient records or deliver malware.
The hackers then often sell the stolen health information on the deep Web, and the report also identifies popular market places and forums for stolen EHRs.
Hackers sell health insurance credentials on the deep Web for about $20 a piece and that value increases if a dental or vision plan is attached to the health plan, according to the report. They also use the deep Web to sell information packages known as fullz, “an electronic dossier of a victim that is compiled to specifically facilitate identity theft and fraud.” These “fullz” contain health insurance credentials along with social security numbers, bank accounts, email passwords, and other personally identifiable information.
In this hyper evolving threat landscape, experts who haven’t studied adversary agendas, methods and technical profiles will have a hard time keeping up, Scott said.
“You can’t talk about cybersecurity without understanding the attack vectors, you can’t talk about attribution without forensically defining the intricacies of the breach, you can’t talk about the woes of ransomware without defending the necessity of encryption as a powerful layer of cybersecurity,” Scott said. “You’re only as cyber secure as your weakest vulnerability.”
Wells Fargo has been fined $185 million and fired more than 5000 employees after the discovery of an illegal sales push that duped customers for years. Also in recent GRC news, U.S. businesses with European clients are unprepared for the European Union General Data Protection Regulation (GDPR), Olympians’ medical records were leaked and the 2016 U.S presidential race continues to be targeted by hackers.
Wells Fargo sales tactics under fire
Wells Fargo has fired 5,300 employees after it was discovered that they were engaging in illegal sales tactics. Over the course of five years, the employees used fake email addresses to create around 2 million unauthorized accounts for existing customers, the Chicago Tribune reported.
Former Wells Fargo employees told the New York Times that the tactics were necessary to meet unattainable sales goals. “The reality was that people had to meet their goals — they needed a paycheck,” one former employee, Khalid Taha, told the Times. As a result of the incident, Wells Fargo has eliminated product sales goals for retail bankers in an effort to prevent this type of illicit activity from happening again.
Wells Fargo must also pay $185 million in fines to the Consumer Financial Protection Bureau (CFPB). This is the largest fine ever collected by the CFPB, the Washington Post reported.
U.S. businesses not ready to meet EU data standards
Many U.S. businesses with European clients are unprepared for new regulations under the European Union General Data Protection Regulation (GDPR), according to a survey conducted by software company Compuware.
Compuware surveyed 400 CIOs of large companies in the U.S. and Europe. The survey found that more than half of the U.S. companies that took part in the survey have personal information of European customers, but only a third of those companies are making the necessary preparations to comply with the GDPR, Information Management reported. U.S. companies must comply with the GDPR by May 2018.
Foreign hackers release Colin Powell’s emails
The latest political hacking target is former secretary of state Colin Powell, who had his emails revealed by hackers. The emails contain Powell speaking candidly about Donald Trump and Hillary Clinton, according to the New York Times. In one email, Powell said he would, “rather not have to vote for” Clinton. In another, Powell called Trump a “national disgrace” and an “international pariah.”
The Washington Post reported that the emails were leaked on a site tied to the Russian government, continuing the trend of foreign countries’ tampering in the U.S. election process. In recent months, the Democratic National Committee (DNC) experienced an email leak that lead to the resignation of DNC chairwoman Debbie Wasserman Schultz, and two states’ voter registration databases were breached by Russian hackers.
Olympians’ medical records leaked
Hackers thought to be linked to the Russian government have released medical records and drug testing records of Olympic athletes, including gold medal gymnast Simone Biles and tennis stars Venus and Serena Williams. The hackers tapped into the World Anti-Doping Agency’s (WADA) database to obtain the information, ABC News reported. The hacker group calls themselves “Fancy Bear,” and released personal medical records of 25 athletes, according to a statement released by WADA.
In a statement released on their website, Fancy Bear detailed the motive behind the data leaks, alleging that U.S. athletes “regularly used illicit strong drugs justified by certificates of approval for therapeutic use.”
Last week, San Francisco-based Wells Fargo bank was fined $185 million because employees opened two million unauthorized bank and credit card accounts. About 5,300 employees associated with this fraudulent conduct were fired over a five-year period, the bank said.
The incident has not only marred the organization’s brand, but has also raised questions about its company culture. How can other organizations prevent similar misconduct?
“It is important to address ethics and compliance at the beginning of an employee’s employment, making sure that they know what is expected from the company, they know what the culture is, they know what the values are and they know where to go if they have a question,” said Eileen Krouse, program manager at Staple’s Ethics and Compliance Office, during a recent panel discussion titled Preparing your Employees to be the Compliance Front Line at the Thomson Reuters Compliance and Risk Forum in Boston.
There are several reasons why employees engage in unethical behavior. Financial worries, pressure to reach sales targets, being unaware what they are doing is wrong or not knowing where to seek help if needed can contribute to the problem, panelists said.
But panelists agreed that at the top of this list is an “I don’t care about the company” attitude.
“Especially when you are talking about a large enterprise with frontline employees, the ‘I don’t care’ dynamic is an important one that you have to address somehow. You have to convince them to care,” said panelist Matt Kelly, editor and CEO at Radical Compliance. “The other part is just incentive pressures. Organizations have to know how to tie how people get paid and rewarded to the caring about ethics and compliance.”
Companies need experienced and creative people to figure out what incentives can take employees down the wrong path — and who is most susceptible to head down that path, said panelist Daniel Nathan, a partner at Morvillo law firm.
It is important to show employees that the company values proper ethics and a strong set of principles, he added.
“You got to make sure you are reaching the right group of people with the right message. It’s what people call ‘tone at the top’,” said Nathan.
Organizations can help set these standards by making a helpline available for employees with questions about ethical behavior, regularly holding ethics training, and sending out informative newsletters, panelists said.
At Staples, Krouse’s team doesn’t wait for employees to come to them with questions or problems, but reaches out to them first, she said.
“Associates need to know that the ethics and compliance team are people, and that we are a resource and not the ethics police,” Krouse said.
It’s important to have a robust internal audit program and a disciplinary system where employees who engage in any misconduct are dealt with accordingly, Nathan added.
Kelly talked about how a company can collect useful intel from the organization’s whistleblower hotline to help diagnose a company’s culture.
“Look at as many metrics as you can get from your hotline calls, about retaliation specifically,” he said. “Are people alleging retaliation? Are they alleging it against a specific manager or alleging against a specific type of misconduct that they are alerting you to?”
Partnering and communicating with other departments also helps drive an ethical corporate culture, panelists agreed.
Krouse said her department partners very closely with HR and with employment attorneys so that they can cooperate when ethical issues come up.
It is equally important to have a risk assessment program to analyze potential risks of corporate ethics violations before introducing any new program, product or service, Nathan added.
“The classic formula for setting up a compliance program is to identify upfront the risks of the program, product or sale,” he said. “Identify any conflicts of interest that would cause a potential problem and figure out how to mitigate it.”
The E.U. has ordered Ireland to collect more than $14B in taxes from Apple that, according to the E.U., have gone unpaid for years. Also in recent GRC news, state voter registration system breaches continue to highlight vulnerabilities in the U.S. election process and Dropbox finally confirmed more than 68 million users’ accounts were hacked in a 2012 data breach.
Apple told by E.U. to pay Ireland $14.5B in unpaid taxes
The European Union has ordered Ireland to gather nearly $14.5B in retroactive taxes from Apple, The New York Times reported. Apple has long been scrutinized for its alleged tax evasion and for using Ireland, a country that offers one of the lowest tax rates in the world, as a so-called “tax haven.”
In a statement released on Apple’s website, CEO Tim Cook expressed disappointment about the E.U.’s ruling and detailed the consequences that could result if the order is upheld. “Beyond the obvious targeting of Apple, the most profound and harmful effect of this ruling will be on investment and job creation in Europe. Using the Commission’s theory, every company in Ireland and across Europe is suddenly at risk of being subjected to taxes under laws that never existed,” Cook said in the statement. Both Apple and Ireland intend to appeal the E.U.’s decision.
Two states’ election systems breached
Arizona and Illinois both had their election systems breached by hackers that are likely based overseas, CNN reported. The news comes weeks after security experts warned of possible voting system breaches during the presidential election in November. Ken Menzel, General Counsel for the Illinois Board of Elections, told CNN that a board database was breached and possibly compromised 200,000 voter records. In May, officials in Arizona took down the state’s voter registration system after receiving an FBI tip about a cybersecurity threat. After taking the registration system offline, it was discovered that an Arizona county election official’s username and password had been shared online, allowing hackers a possible way into the county’s local voter registration system.
These voter registration system breaches come after many individuals have expressed their concern about the possibility of hacks that would influence the 2016 presidential election.
Dropbox confirms 68 million accounts exposed in 2014 hack
Online storage giant Dropbox has confirmed the details of a 2012 hack that led to the leak of more than 68 million accounts’ emails and passwords, BBC reported. The breach serves as an important lesson to all who utilize online accounts: do not reuse passwords.
Although it can be convenient to have the same password for every online account you sign in to, it is also very dangerous from a cybersecurity standpoint. The 2012 Dropbox hack was made possible after hackers exploited a Dropbox employee’s password for a different online account that was leaked via another data breach. The employee failed to change the password after the first breach, resulting in the compromise of the employee’s Dropbox account.
After a Democratic National Committee email leak, security experts are warning against a possible voting machine hack come November. Also in GRC news, the New York branch of one of Taiwan’s largest banks has been fined $180 million after violating compliance regulations, and a data leak by hacker group called “Shadow Brokers” has revealed a possible NSA breach.
Electronic vote manipulation a possibility in November
In a society where almost every bit of information is recorded electronically, the potential for cybersecurity threats is high: After Russian hackers leaked Democratic National Committee emails, security experts told NPR that voting machines could be the next target for hackers. Zeynep Tufekci, an associate professor at the University of North Carolina’s School of Information and Library Science, told NPR that states that rely on electronic voting systems without paper back-up ballots are at risk for potential security breaches and vote manipulation.
In early August, POLITICO interviewed Andrew Appel, professor of computer science at Princeton University, who revealed how easily some voting machines can be hacked and have their results altered.
Mega Financial Holdings fined $180 million for compliance violations
One of Taiwan’s largest banks had its New York branch fined $180 million by the state’s financial regulator for compliance violations, Reuters reported. Mega Financial Holdings violated anti-money laundering laws due to its disregard for “risks of exposure” in Panama, an area popular for money laundering, the New York State Department of Financial Services said in a statement.
Mega Financial is one of many companies whose records is now being looked at under a microscope following the “Panama Papers” leak of more than two and a half terabytes of data taken from Panamanian law firm Mossack Fonseca. Most notably, former UK Prime Minister David Cameron found himself involved in the data leak when it was revealed that he profited from his father’s Panama-based, UK-tax avoiding trust.
“Shadow Brokers” leak possibly revealed classified NSA code
The New York Times reported that a group of hackers calling themselves the “Shadow Brokers” have released classified computer code that has been used by the National Security Agency (NSA) for espionage purposes.
Experts told the New York Times that the code was designed to give the NSA access to the computer systems of foreign countries. Some of the same code was detailed by NSA whistleblower Edward Snowden in 2013. According to Forbes, the information leaked by the Shadow Brokers also reveals how the NSA was able to bypass the encryption of PIX, a Cisco program that offered firewall and VPN technology, to spy on the product’s users.
Investors are nervous about bitcoin’s future value after Bitfinex, one of the world’s “big four” bitcoin exchanges, was hacked and had nearly $65 million worth of bitcoins stolen. Also in recent GRC news: Tinder has been accused of violating EU privacy laws and the popular augmented reality mobile game Pokémon GO could cause some unwanted HIPPA violations.
Hack leaves bitcoin investors spooked
Hong Kong-based bitcoin exchange Bitfinex was breached by hackers who stole nearly 120,000 bitcoins that by some estimates were worth more than $70 million. Experts told CNBC that future investors may be hesitant to consider bitcoin a stable currency to purchase stakes in, as this is not the first time a major breach of a bitcoin exchange has occurred.
In 2014, Tokyo-based bitcoin exchange Mt. Gox became insolvent after discovering a breach that was left undetected for years. Mt. Gox remains the most famous and devastating bitcoin exchange breach of all time, as Mt. Gox once managed nearly 70% of all bitcoin exchanges worldwide, according to the Wall Street Journal.
Tinder accused of breaching EU privacy laws
The popular mobile dating app Tinder has been accused by a Belgian Member of the European Parliament of violating EU privacy laws. Marc Tarabella told the BBC that Tinder fails to notify users of the amount of data the app manages on users’ mobile devices, thereby violating EU privacy rules.
Tinder, however, is not the only mobile app that has recently been in the spotlight due to users’ rights to privacy. In May, Ars Technica reported that the fitness tracking app Runkeeper was accused of violating EU privacy laws by the Norwegian Consumer Council. According to the Consumer Council, Runkeeper’s practice of recording and sending users’ location data to a third party in the United States — even while the app is not in use — is a violation of EU data privacy laws.
The record-breaking augmented reality mobile game Pokémon GO has been making headlines for reasons other than its massive financial and cultural success. Shortly after the game was released in early July, it was discovered that Niantic, the game’s developer, was able to access a large amount of private and personal information from user’s Google accounts that were used to create a Pokémon GO account. According to Adam Reeve, a principal architect at RedOwl Analytics security farm who was the first one to break this news, Niantic had the ability to read and send users’ email, access users’ Google Drive documents, look at users’ search history, view users’ Google Maps navigation history and access users’ private photos stored in Google Photos. Niantic has now updated its permissions policy in response to the privacy issues, stating that the game is only able to access basic Google account information and nothing more.
Pokémon GO poses risk to HIPPA violations
The National Law Review detailed the benefits and detriments of healthcare facilities allowing Pokémon GO to be played on their premises. Reasons to let the game stay include the benefits of physical activity, because the game’s objectives can help healthcare facilities motivate patients to exercise. One of the reasons for banning Pokémon GO from healthcare facilities includes the possibility of HIPPA violations of patient privacy.
The mobile game’s augmented reality feature allows users to view and capture photos of animated characters in the real world through their device’s camera so users can share the images via social media. This poses an obvious privacy issue in a healthcare environment, as patient’s private health information, and the patients themselves, could be recorded and shared on social media.
Niantic has made concessions to allow businesses and organizations to opt-out of the Pokémon GO craze. By submitting an online complaint on Niantic’s website, healthcare facilities can have their location removed from the game and essentially block Pokémon GO characters from spawning in and around their facility.
The Privacy Shield data transfer pact finally received the green light from U.S. and EU privacy regulators, and businesses can begin registering to comply with the framework Aug. 1. Also in recent GRC news: The SEC calls for better transparency for brokers’ order routing practices, and a University of Mississippi hospital is fined $2.75 million for violating HIPAA security rules.
With Privacy Shield finalized, companies are urged to act quickly
The U.S. and the European Commission have greenlighted Privacy Shield, the data transfer agreement that replaces the Safe Harbor framework. Companies can start registering for Privacy Shield on Aug. 1. Experts told the Wall Street Journal that the finalization of the deal could alleviate uncertainty for thousands of businesses that relied on Safe Harbor for legal guidance as they moved business and customer data across the Atlantic. Privacy Shield contains more robust provisions than Safe Harbor, such as increased limits on U.S. companies regarding European data access and remediation rights for individuals. Privacy regulators will review the framework every year to ensure that it remains effective.
There are aspects of Privacy Shield that will work in favor of companies that adopt the framework, data transfer experts told WSJ. One way it benefits companies is that the Privacy Shield provisions are consistent with the principles of the EU’s General Data Protection Regulation (GDPR), a new law that overhauls how EU citizens’ data is handled. Businesses that are already enacting compliance processes around Privacy Shield can use those endeavors to comply with GDPR. Another benefit is that companies that sign up for Privacy Shield within two months of Aug. 1 receive a grace period of nine months to achieve compliance with the framework.
SEC proposes greater disclosure of order routing practices
The U.S. Securities and Exchange Commission (SEC) has proposed rules that would require brokers to reveal standard data about order routing practices. This data includes possible conflicts of interest with their clients, how adequately they carried out their customers’ orders and the average rebate a broker firm received for its orders, which will be published in aggregated reports on the SEC’s website.
Critics of the current standards say investors lack sufficient details on where their orders are being set and why. “This proposal should provide investors with an important new tool to better assess whether a broker-dealer’s order routing practices are consistent with their investment objectives,” SEC chairperson Mary Jo White said in a public statement.
U-Miss hospital to pay $2.75 million fine for HIPAA infraction
The University of Mississippi Medical Center (UMMC) will pay the Office for Civil Rights, part of the U.S. Department of Health and Human Services, a $2.75 million fine for HIPAA violations. An OCR investigation found that the hospital had been aware that there were vulnerabilities to electronic protected health information (ePHI) since at least 2005, but didn’t take any meaningful action to alleviate or remove the risk until after a laptop was stolen in 2013. The OCR also found that health data were susceptible to unauthorized access through UMMC’s wireless network because users were able to access an active directory holding the ePHI of 10,000 patients. The OCR’s findings showed UMMC were in violation of the HIPAA Security Rule’s guidelines for safeguarding ePHI.
UMMC will enter into a resolution agreement and three-year corrective action plan with the OCR. The resolution agreement states that the hospital failed to enact the appropriate security measures to remain HIPAA-compliant, particularly in regard to reducing data vulnerabilities and notifying patients of insecure ePHI. UMMC accepted the OCR’s resolution agreement, but noted that the acceptance does not admit the hospital’s liability.
Digitization requires big changes to companies’ strategic processes, and security is no different: In a recent report, Gartner predicts that 60% of digital businesses will experience major service failures by 2020 due to the inefficacy of their IT security teams to handle digital risks.
“Digital security is the risk and resilience-driven expansion of current cybersecurity practices to protect the pervasive digital presence in business, government and society,” Pratap said in an email interview.
In the report, the IT research and advisory firm identified five major areas for organizations to focus on to successfully address cybersecurity in the digital era.
The role of leadership
Investing in leadership and governance improvements will triumph over technology tools when it comes to addressing cybersecurity, according to the report.
“CISOs need to communicate with business leaders,” Pratap said about CISOs’ role in mitigating cyber risks. “First, they need to figure what cybersecurity means for their organization and then get a consensus of that understanding from the business. Everything else related to assessments, recruiting talent, threat intelligence and incident response procurements are pointless if this key piece is missing.”
Creating and developing roles like a digital risk officer to address the changing nature of risks and threats will help connect the dots between different parts of the organization’s digital strategy, she added.
Protection, detection and response
With cybersecurity threats increasing in number and sophistication, IT risk and security leaders should stop focusing their efforts solely on prevention and balance investments across data protection, incident detection and response, Pratap said.
Gartner predicts that by 2020, 60% of enterprise information security budgets will be allocated for quick detection and response approaches, a significant increase from less than 30% in 2016.
IT risk and cybersecurity leaders should employ existing and innovative technologies to detect and respond to external and insider threats, according to the report.
One important step will be to stop focusing on checkbox compliance and shift to risk-based decision making, Pratap said.
Cultivating a new approach
Security approaches designed for traditional businesses won’t work for digital businesses, according to the report. With introduction of new strategies like bimodal IT, enterprises need a new approach to address cybersecurity, Gartner predicts.
“The challenges of designing and running a digital business make digital security a broader term,” she said. “Digital business is creation of new business designs that connect not only people and business, but also connect people, business and things — physical objects that are active players and contribute to business value — to drive revenue and efficiency.”
Security in the cloud era
In the digitization era, organizations are often required to address cybersecurity and potential risks for technologies and assets that they no longer own or control, the report states.
Gartner predicts that by 2018, 25% of corporate data traffic will bypass enterprise security controls and flow directly to the cloud from mobile devices.
With data no longer restricted to data centers, it is important to stop trying to control information and instead determine how it flows, Pratap added.
“Finding all sensitive data and tracking all access in all forms will be too onerous for most organizations,” she said. “Each organization will have to manage their ability to do this within the limits of the resources they can commit. From personally identifiable information to sensitive intellectual property, the impact of compromise of such information on the organization needs to be assessed regularly.”
A people-centric approach
When it comes to cybersecurity, people and processes have failed to receive the same attention as technology, according to the report. A recent CEO survey conducted by Gartner shows the majority of CEOs still look at cybersecurity as an IT issue and not a business one, Pratap added.
Cybersecurity in the digital age must cater to the needs of the employees and customers, the report states. It is important to accept the limits of technology and become more people-centric, Pratap said, because monitoring and analyzing user behavior can replace many restrictive controls.
“It is commonly recognized that normal, everyday users just trying to get their work done can be the weakest links in the digital security chain,” she said. “Conversely, motivated people can be the strongest links in our security chain. It is necessary to shape behavior and motivate people to do the right thing.”