Compliance Has a Price Whether You Do It or Not

The article appearing below was distributed on July 15th to a private audience of decision makers and business leaders. Should you wish to be included in private distribution in the future, please contact author via method listed in profile.

CPO Magazine, June 14, 2021 –

“Colonial Pipeline hack connected to password leak of 8.4 billion accounts; Attackers got in via an old VPN account”.

Privacy Shark, June 2021 –

“LinkedIn has reportedly been breached again – following reports of a massive sale of information scraped from 500M LinkedIn user profiles in the underground in May”. According to Privacy Shark, the VPN company that first reported this incident, a caller showed them he was in possession of 700 million LinkedIn user records. “That means almost all (92 percent) of LinkedIn’s users are affected by this”.

Commentary and Observations

“81% of all cyber incidents involved compromised passwords”. In early 2021, Microsoft estimated that its cloud applications blocked upwards to 300 million fraudulent login attempts each day. Last month Google recommended that millions of users update their passwords after leaks from popular services like Netflix and LinkedIn. Hackers know they only need to steal one weak or outdated login credential to gain access to laptops, desktops, networks and servers.

How observant are purchasers of cloud services, directors of information technology or leadership teams and boards? If they are conversant with privacy and security issues, they should have noticed IBM’s advertising its “hybrid cloud solutions”.

In order to escape the documentation and procedural requirements regarding safekeeping user data across multiple platforms and locations, hybrid cloud implementations allow the segregation of data across boundaries. The user data now resides at the user’s physical location, thus making the user responsible for safeguarding the confidential information, while IBM only provides the code (cloud application) that massages the information stored on the user’s premises.

Data aggregators monetizing captured information (read the fine print on any web-based application) have decisions to make. After all, they are just another user eligible to expose the aggregated personal information.

The days of “do everything in the cloud and just pay for resources used” might be coming to an end for corporate IT departments. IT departments are responsible for the security of confidential data (payment card industry, personally identifiable information, and personal health information) regardless how it arrives.

Facts

93% of SMBs without a tested and working disaster recovery plan go out of business after a breach.

96% of SMBs with a working disaster recovery plan recover after an attack.

52% of data loss incidents are caused by human error.

Short term gains don’t happen by accident and long term stability does not involve luck.

In the past, many companies considered compliance a nuisance for requirements that had to be met. But in today’s rapidly changing digital world, compliance has become inextricably linked to cybersecurity. In 2020 alone, more than 11 U.S. states passed enhanced data security and compliance laws. It is now more important than ever to ensure in-house security and compliance personnel are properly trained, credentialed and experienced. This is the first vulnerability a plaintiff’s attorney will attack in a civil action as a result of a breach.

Companies are bound by regulatory boards and even be subject to fines and penalties if they are found to be non-compliant. Here are just a few common regulatory agencies and acts:

·        Health Information Portability & Accessibility Act (HIPPA)

·        General Data Protection Regulation (GDPR)

·        International Standards Organization (ISO)

·        American Bar Association

·        American Bankers Association

·        American Council of Life Insurers

·        Financial Industry Regulatory Authority (FINRA)

·        Financial Planning Association

·        Financial Services Roundtable

·        Independent Community Bankers of America

·        Investment Company Institute

·        Investment Advisor Association

·        National Association of Mutual Insurance Companies

·        Securities Industry Financial Markets Association

·        The American Insurance Association

·        Defense Federal Acquisition Regulation Supplement IDFARS)

·        Payment Card Industry Data Standard (PCI)

Opinion

Like most solutions, the answer is different depending on the size and scope of a business. Automated software applications can help leaders understand which regulations apply to their company and recommended best practices to satisfy them. But human error and lapses in process can always lead to unexpected incidents.

A better solution comes from trusted IT partners with the proper certifications and experience. This type of working relationship removes the guesswork from compliance, aligning your business with the requirements of standards, organizations and third-party partners.  

Choose wisely; seek a balance between instant, copious facts via Google, or seasoned wisdom with a proven track record.

Is it easier to run without discipline and direction calling the effort “lean and mean?” Knowledge without experience is reckless, repeating the same mistakes. Any business could be at risk if these conditions exist.

Bad Actors

Microsoft: If you recently purchased a laptop or desktop with a preinstalled Windows 10 operating system, Microsoft almost always forces you to create a Microsoft Account (harvesting user IDs and passwords) to complete the install of the operating system and make your device usable. Set up your own administrator account and delete the Microsoft Account.

Review Task Manager and inspect the dozens of tasks that execute without your knowledge or consent, sharing information on/from your device.

Good Actors:

Microsoft: Releasing Windows 11, hardware security which has been an optional part of Windows 10, is now mandatory, which means Secure Boot and device encryption are available by default to protect against increasingly sophisticated online attacks. We will evaluate this approach in the future.

The published system requirements for Windows 11 are as follows:

Processor 1GHz or faster with two or more cores on a compatible 64-bit processor

4GB of RAM

64GB of available storage

Security: TPM version 2.0, UEFI firmware, Secure Boot capable

Graphics card compatible with DirectX 12 or later with a WDDM 2.0 driver

High definition display (720p), 9” or greater monitor, 8 bits per color channel

Internet connection and Microsoft Account (here we go again with data harvesting)

`