Editor’s note: Anthony La Polla is Vice President of Operations at Critical Defence, LLC. We’re delighted to share his expertise in cybersecurity with our audience.
As the use of technology continues to increase in today’s business, so do the concerns pertaining to cybersecurity. According to the Verizon 2017 Data Breach Investigation Report:
- 75% of breaches were perpetrated by outsiders
- 62% of breaches featured hacking
- 81% of hacking involved weak or stolen passwords
- 66% of malware was installed via malicious emails
- 73% of breaches were financially motivated
- 1 in 14 users were tricked into following a link or opening an attachment
The statistics are alarming, and the consequences of a breach could be catastrophic. From theft of client personal data, loss of propriety data or intellectual property, or payment card data leakage, a single breach could cause the total collapse of the business. As a result, companies are taking action with some key measures, including:
- Training staff to identify warning signs
- Following the principle of least privilege
- Instituting patch management policies
- Encrypting sensitive date to make it useless if stolen
- Requiring two factor authentication to limit damage if lost or stolen
- Regularly reviewing log files for warning signs of a breach
And companies aren’t the only ones taking notice of the risks associated with cyber-attacks and vulnerabilities. Government agencies are making concentrated efforts to protect companies, employees and consumers from these digital crimes. Two of the most recent mandates addressing these issues are the General Data Protection Regulation (more commonly known as the GDPR) and New York State’s DFS Regulation 500 Part 23.
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The GDPR applies to any company which has a presence in an EU country, processes personal data of European residents, has more than 250 employees, or fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
The GDPR protects basic identity information such as name, address and ID numbers, web data such as location, IP address, cookie data and RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation. The GDPR requires that companies appoint a Data Protection Officer, identify all protected data within the network, create a data protection plan, create a data retention policy which allows individuals the right to have their data completely removed upon request, conduct a risk assessment, report any breach within 72 hours and revise risk mitigation programs.
The GDR also outlines the consequences of failing to comply, and they are steep. It allows for financial penalties of up to €20 million or four percent of global annual turnover, whichever is higher, for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year. The good news is that there is still time to comply; GDPR enforcement will begin May 28, 2018.
DFS Reg 500 Part 23
The New York Department of Financial Services (DFS) has issued 23 NYCRR Part 500, a regulation designed to promote the protection of customer information as well as the information technology systems of regulated entities (financial institutions such as banks and insurance companies). This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
The regulation requires that covered entities create and implement a cybersecurity program and policy the identifies and mitigates risk and aims to prevent breaches. The regulation is rather specific and requires, at a minimum, that covered organization do the following:
- Assign a Chief Information Security Officer
- Perform annual penetration testing
- Perform Bi-annual vulnerability assessments
- Maintain an audit trail
- Limit access privileges
- Ensure the use of secure deployment practices
- Conduct a periodic risk assessment
- Utilize qualified cybersecurity personnel
- Implement a third party service provider security policy
- Utilize multi-factor authentication
- Limit data retention and create a secure disposal policy
- Provide regular cyber security awareness training and monitoring
- Encrypt of nonpublic information
- Establish a written incident response plan
- Notification within 72 hours of cyber event identification
There are few exemptions to this regulation. Only organizations (including independent contractors) with fewer than
10 employees, organization with less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and organizations with less than $10,000,000 in year-end total assets, calculated in accordance with GAAP including assets of all affiliates are excluded from the compliance requirement. This regulation was put into effect on May 1, 2017, and covered organizations were required to be compliant by August 27, 2017. By February 15, 2018, covered entities are required to submit the first certification for 23 NYCRR 500.17(b). On March 1, 2018, covered entities are required to be in compliance with sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500, and by March 1, 2019, organizations are required to be compliant section 500.11.
As technology and internet usage continue to grow, so does cyber crimeCybersecurity and Key Compliance Requirements . In order to defend against it companies will need to implement appropriate policies and procedures that align with new mandated regulations. These requirements will need to be monitored closely and will need experts to ensure proper implementation and maintenance. Otherwise, the costs and consequences could be catastrophic.
About Critical Defence
Critical Defence, LLC is a global provider of cyber security services including, but not limited to Assurance, Response, Compliance and Training. Additional information can be found at www.criticaldefence.com.