Get Physical (Set Physical Controls)

This is the fifth and final post in a blog series in honor of National Cybersecurity Awareness Month. 

Cybersecurity might seem like technical stuff, but don’t overlook the role of physical vulnerabilities in security incidents.  The 2018 Verizon Data Breach Investigations Report found that 11% of breaches involved physical actions.  The 2016 Verizon Data Breach Investigations Report identified physical theft or loss as the third most common type of security incident. 

Even more disturbing is a 2016 study that found that most people have no qualms about connecting unknown devices – which could contain malicious software – to their computers.  The researchers dropped unidentified USB drives around the campus of the University of Illinois.  Approximately 98% of the drives were removed from their drop-off location; 45% of those who took a USB drive opened at least one file on it. All it takes is one curious but unwitting employee to introduce a vector into your IT system!

Physical security should be part of any cybersecurity program.  Here are some physical safeguards to consider adopting:

  • Secure your servers and other storage devices – Any area that houses data storage media needs to be secured.  That means locking doors or installing other access control devices like biometric scanners.
  • Surveillance cameras – Install closed-circuit surveillance cameras in areas where critical IT infrastructure or data are located.  If a physical breach ever occurs in the area, the camera recordings can help you identify the perpetrators.
  • Mind the trash – Paper records containing sensitive information should be disposed of properly, such as by shredding.  Be careful not to leave material for shredding out in the open, where passerbys could see or even steal them.
  • Prohibit unapproved devices – Adopt and enforce a policy against connecting unapproved devices to the organization’s hardware such as USB drives, external hard drives, smartphones, and tablets.
  • Mitigate consequences of lost or stolen devices – Lost or stolen laptops and mobile devices are a common occurrence.  Having a contingency plan against this security risk is a must.  Installing mobile device management (MDM) software on devices that carry company data can help.  MDM software can help you remotely locate, lock down, or even delete data from lost or stolen devices.
  • Encrypt your data – This is a repeat of Tip #1, but its importance can’t be overemphasized.  Encrypting data on a device makes it unintelligible to anyone without the encryption key even if they improperly gain control over the device.

And that rounds out our series of practical cybersecurity tips for small businesses.  We hope you’ve picked up a few ideas to keep your data safe!

Stand Guard (Control Access)

This is the fourth in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Cybersecurity attacks might conjure up images of hackers in hoodies clacking away in the shadows, but did you know that your own employees pose as great of a security threat if not more?  According to CA Technologies’ 2018 Insider Threat Report, 66% of the organizations surveyed consider malicious insider attacks or accidental breaches more likely than external attacks.  A 2018 Ponemon Institute report found that of the 3,269 insider incidents it evaluated, 64% were related to negligence, 23% resulted from a criminal or malicious insider, and 13% resulted from stolen credentials.  Findings like these raise the question: Does everyone in your organization really need access to all your data?

Probably not.  Employees should have the information they need to do their job, of course.  But granting unlimited access to information is dangerous.  Employees need not even have malicious intent to pose a threat.  If an employee’s credentials are compromised, all the data to which the employee has access rights is at risk. 

A similar risk applies to third-party contractors with access to company data (web developers, freelancers, bookkeepers, outsourced HR administration services, etc.).  Contractors should have no more access to information systems than necessary to perform their scope of work.  Some mistakenly believe a non-disclosure agreement is a substitute for limitations on access.  A NDA could provide you a remedy if a contractor misuses company information, but it isn’t as effective as access controls in preventing information from falling into the wrong hands.

Limiting access to data has another benefit.  If you want to claim that certain information is protected as a trade secret (note that trade secrets are often the subjects of NDAs), you’ll have to demonstrate that you took precautions to keep the information secret.  As an example, the definition of “trade secret” in Hawaii’s trade secret protection law requires a showing that the information at issue “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”  Similarly, technical limitations to access may be necessary to enforce claims under the Computer Fraud and Abuse Act (CFAA), as the Ninth Circuit Court of Appeals ruled in a recent decision.

Access controls should be one of the considerations in structuring and organizing your data systems.  A well thought out system segregates data so that granting access isn’t an all-or-nothing proposition.  “Internal gatekeeping” of data goes a long way toward preventing loss from cybersecurity incidents.

Sort It Out (Organize & Centralize)

This is the third in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws recognize that individuals have certain rights in data that organizations collect from them.  Compliance with such laws often requires the ability to respond quickly to requests to exercise privacy rights like the right to access and correct personal information, the right to have personal information deleted, and the right to limit usage of personal information.  Yesterday, we saw how data mapping facilitates regulatory compliance.  Today, we look at a related best practice: centralizing and organizing your data.

Data can live in many places within an organization.  Structuring your information systems –specifically, your data storage systems – to fit your business and compliance needs will help you exert control over your data.  The amount of control you have over your data affects your ability to handle the data to meet specific objectives.

Consider this scenario.  You’re a startup and you realize that encrypting personal data of customers would be a good idea (maybe you read our post about the value of encryption).  However, customer data is stored haphazardly throughout your organization.  Customer data mainly sits on your main server and your CRM vendor’s cloud server, but it’s also stored on local backup storage media and on laptops and mobile devices owned by your executives and a few key employees.  Customer data is also stored in different formats, including in your CRM vendor’s proprietary database and in spreadsheets.  Wouldn’t the encryption program be easier to implement if the customer data lived in only one or two databases?  Having an organized and streamlined data structure lays the foundation for executing information governance policies.

Here’s another hypothetical scenario.  A customer submits a request to access the personal data  your business has collected about him because he wants to verify that your records accurately capture his middle initial.  The difficulty of responding to this request depends on the organization and complexity of your database and storage systems. 

Certain privacy laws set deadlines on responding to requests to exercise privacy rights.  For example, the CCPA generally gives organizations 45 days to respond to privacy requests, with one 45-day extension allowed under certain conditions.  Organizing and centralizing data enhances your ability to respond to customer privacy requests within regulatory deadlines.

Below are a few considerations for exercising control over your data:

  • Be intentional in designing the architecture of your database and storage systems.  Take into account physical considerations (e.g., proximity and accessibility of storage/database sites, ability to physical restrict access) and non-physical considerations (e.g., speed of internet connection for cloud databases, interoperability of databases with software).
  • Give thought to the hierarchy of your databases.  Will you need to look in multiple folders to find certain categories of information, or is information stored in folders or subfolders organized by category or some other methodology?
  • Consider whether your organizational structure lends itself to segregation of certain data sets from others. For example, if your business has two operating units, is the data pertaining to one unit segregated from data for the second unit? Segregation makes it easier to impose limitations on access should you need to do so.
  • Minimize the number of places where you store data except as necessary to build redundancy for backup purposes.   
  • Make your data easily searchable.  There are various ways to do this, ranging in sophistication from adopting file-naming conventions to deploying document processing software with artificial intelligence technology.
  • Develop and enforce information governance policies such as restrictions on off-site data storage.

Keep Track (Take Inventory)

This is the second in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws require organizations to respect certain rights of individuals from whom they collect personal information.   Under privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), individuals have the right to access and correct the personal data that organizations collect from them, to require organizations to delete such collected data, and to limit the purposes for which the data may be used.  Organizations that do not honor these rights can face enforcement action, penalties, and lawsuits.

As a starting point to complying with laws like the GDPR and CCPA, businesses need to keep track of the data they have, now and in the future.  Taking inventory of data is an often overlooked step, but so very important.

Suppose a customer submits a request to your business to delete all the data that you have collected from her.  Sound like a simple request?  Would you be able to readily identify all the locations where that data about that customer is stored?  You might look in the typical data repositories – a central server, cloud accounts – but what about not-so-obvious places, like backup media, individual workstations, or removable media like thumb drives?  What about third-party vendors?

Knowing where your data lives is also essential to securing it against unauthorized access or cyberattacks.  What types of security controls are necessary for a business to implement depends on the kind of data in question and how it is stored.  For example, data access privileges should vary based on the needs of different users and the risk that such users will misuse or mishandle such data.  Different security controls are appropriate for data stored in the cloud versus data stored on a hard drive.  Evaluating the factors that affect which cybersecurity measures to implement is difficult if you don’t know what data you have or lose track of where it goes.

That’s why data mapping is a crucial component of a cybersecurity program.  Data mapping is the process of cataloguing the data that’s collected, how it’s used, where it’s stored, and where it goes.  A data map could be as simple as a spreadsheet or diagram, or it can be an extensive document created with special software.  The scope of your data map depends on the nature of your business and how you collect, use, and store data.

Most data maps should at least address the following subjects:

  1. What data you collect – the types of data collected; the sources of collection; whether the data is sensitive
  2. Storage of data – where the data is stored; the formats in which it is stored; how long it is stored; the custodians of stored data; and the conditions under which it is stored
  3. Usage of data – why the data is being collected; the purposes for which the data is used
  4. Flow of data – where the data moves after it is collected, both inside the organization and outside of it (third-party recipients); the protocols in place to protect data transfers

For a tool to help you get started with data mapping, check out the Data Protection Commission’s Self-Assessment Checklist.

Lock It Up (Encrypt)

In honor of National Cybersecurity Awareness Month, we’re sharing our top practical tips for small businesses to keep their data secure.  Tip #1 is encryption.  The National Institute of Standards and Technology (NIST) defines encryption as “the process of transforming plaintext into ciphertext using a cryptographic algorithm and key.”  In plain terms, encryption is the process of securing data by using a digital lock and key. 

The premise behind encryption is pretty simple.  If you want to keep private papers from prying eyes, how would you do it?  You could put the papers in a safe.  Only someone who knows the combination to the safe can open it and access the papers inside.  Encryption does the same thing to data, except using digital methods.  Encryption essentially “locks” data by scrambling it so it becomes unintelligible to anyone who doesn’t have the “key” necessary to unscramble it.  The idea is that scrambled data is useless to anyone who can’t unscramble it.  It doesn’t matter if the encrypted data falls into the hands of a hacker or is released to the public due to a data security breach.  Data that looks like gibberish isn’t very useful.

Understanding this principle is the key to minimizing legal liability under data privacy laws.  Take Hawaii’s data breach notification law, for example.  The breach notification requirements of Hawaii Revised Statutes chapter 487N-2 apply when a “security breach” has occurred.  The term “security breach” refers to “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.”  Did you catch the reference to “unencrypted” records?  If data that is the subject of a breach incident acquisition is encrypted, then a “security breach” did not happen for purposes of HRS 487N-2, and compliance with the breach notification requirements of the statute is unnecessary.

The California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020 is another example.  A business can be sued by a consumer whose “nonencrypted or nonredacted personal information” is subject to unauthorized access and is copied, transferred, stolen, or disclosed due to the business’s failure to use reasonable security procedures.   Want to reduce exposure to private lawsuits under the CCPA?  Encrypt consumer data.

The General Data Protection Regulation (GDPR) isn’t quite as black-and-white in carving out liability for encrypted data, but the law certainly incentivizes encryption.  For example, Article 34 of the GDPR provides a safe harbor from the data breach notifications where “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”  (Emphasis added.)  While encryption won’t guarantee exemption from the GDPR’s data breach notification requirements, failure to encrypt data almost certainly would trigger the requirements.

It should be fairly obvious by now that encrypting sensitive data is a highly recommended, if not mandatory, cybersecurity measure.  How encryption fits into your cybersecurity program depends on your organization’s IT system, the type of data at issue, operational needs, and cost, among other factors.  Encryption can deployed at different stages of the data lifecycle.  Encryption can also be paired with other data security practices such as pseudonymization and anonymization.  Consult a cybersecurity expert and privacy lawyer to determine how best to use encryption to secure your data and minimize legal liability.