Why the Old Way Isn’t Working for Information Security

As organizations seek ways to solve the security problems inherent in many of their business partnerships, they require a flexible and collaborative system tailored to different user experiences and needs that is accessible by all parties, integrating their separate data-gathering and sharing efforts within a core risk management system.

Unfortunately, many companies are unsure how to approach this, and end up relying on legacy governance, risk management, and compliance (GRC) solutions. Or, even worse, using spreadsheets and email to track and maintain their risk assessments and third-party relationships.

Manual processes, spreadsheets, and email are not a scalable or sustainable model for managing third-party risks for many reasons. Increased spending with third parties, new and stricter privacy legislation, and an heightened media focus on information security breaches increase the levels of risk a business faces when entering third-party relationships as well as the risks resulting from inconsistent or error-prone assessment processes.

Companies are spending more money, and are relying more heavily, on third parties to manage crucial areas of their business because it can reduce internal costs and cut down on internal hiring and training of full-time employees.

While there is added convenience in sourcing a business process service to a third party, companies must also pay attention to how third parties protect and store sensitive data as well as address their own risk and compliance obligations.

Companies must also consider the General Data Protection Regulation (GDPR), which took effect in the European Union on May 25, 2018 and consolidated all privacy laws into one regulation. GDPR has expanded the privacy rights of individuals in every EU country and has put much stricter rules around how organizations handle the personal data of their customers and employees.

GDPR enforcement not only applies to countries in the EU — but to every company that does business there where EU citizen data is stored or processed.

The broad nature of GDPR makes it even more evident just how much emphasis people around the globe place on their privacy. The result is an increased obligation a company has to ensure that privacy for its employees and customers — which includes a thorough vetting of all third-party relationships.

What’s more, regulations that resemble GDPR are being adopted elsewhere. In California, the Consumer Privacy Act was signed into law in June, and will go into effect in 2020, giving residents of the state much more control over their data.

The media attention paid to data breaches can be intense and highly critical. Journalists pay close attention to how and why such incidents occurred, and what could have been done better by the compromised company.

If an organization has not done its due diligence to protect consumer data by assessing the risks associated with their partners, it will become a key point of the news coverage, and can permanently damage the company’s brand and consumer confidence.

Learn more about how Fusion can help with your GDPR and other regulations by visiting our data protection page.

How to Secure Your Information from Data Breaches

Every week it seems there is another article about a company suffering a data breach, from Facebook to Google to Equifax.

As the world becomes more connected and businesses collect data at an increasingly rapid rate, hackers and cybercriminals are keeping pace with security protocols and consistently finding ways to get around them — sometimes almost as soon as they are implemented.

Data now is currency. In fact, many hackers would much rather steal consumer data than a finite sum of money.

While organizations must be in control of security and data protection obligations and practices, they must also be vigilant about how third-party service providers approach these crucial components.

The success of an organization depends on the security and resiliency of the third parties with which they partner and, often, share data. If companies do not thoroughly vet these providers, the consequences can be dire.

In 2018, large-scale organizations have experienced damaging breaches that affected not only their bottom lines but also their reputations.

One such incident involved Saks Fifth Avenue and Lord & Taylor when cybercriminals tapped into an unsecured point of their sale system and stole more than 5 million customer credit card numbers.

In another instance, a chat and customer service vendor for Best Buy, Sears, Kmart, and Delta was hacked via malware and compromised credit card information, addresses, and other personal data of hundreds of thousands of customers.

These incidents and others like them have led to negative media attention and customer mistrust — two things any business must avoid at all costs.

In addition to damaging a business’s reputation, crimes like these are becoming more expensive as well, according to the 2018 Cost of a Data Breach study, conducted by the Ponemon Institute. The study reports the global average cost of a data breach rose 6.4% in 2017 to $3.86 million.

The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148. These costs may keep rising as data proliferates and the impact of a breach becomes more severe.

At Fusion, we can help you reduce the risk of cybersecurity issues, creating a secure information database. How can you avoid some of these cybersecurity issues and not become the next company? Check out how Fusion can help with your security issues.

Are You Prepared for the California Consumer Privacy Act?

On June 28, 2018, the California Consumer Privacy Act (CCPA) was passed and signed into law by California’s governor. Businesses who have ANY customers in California will have to comply with these new standards. With an effective date of January 1st, 2020, this gives businesses who have customers in California a little over 1 year to prepare for these new standards.

The CCPA has many of the same principals as the EU’s famous General Data Protection Regulation. These include the right for consumers to know what data companies have on them, how that data is being used, the right to delete that data, and the obligation of the business to appropriately safeguard that data from a data breach.

Companies that underwent a GDPR program, and have implemented procedures and processes to meet this obligation continually, will be in excellent shape for the CCPA. However, many U.S. based companies who thought they would not be impacted by GDPR are now in the position where it will no longer be optional to comply with these privacy obligations now that CCPA is in the United States, and California being the largest state, almost all business of scale have at least one customer in California. Additionally, other states are already starting the processes of adding data privacy regulations and it is likely that a federal law will be in place in the coming years.

These obligations are too important to handle outside standardized systems and processes. A scattered approach using email, spreadsheets, and documents is a surefire way to ensure that a company is not well-positioned to protect the privacy rights of data subjects. Additionally, these are not one and done assessments – they are continual obligations to ensure the privacy rights of data subjects.

Enterprises can ensure they meet these obligations, and any future privacy obligations, by investing in risk management systems to run their privacy programs. A system will provide scalability, consistency, and security that is required to meet these ongoing obligations. Learn more about how Fusion can help you manage any privacy program with our combination of software and consulting services on our data protection regulations page.

7 Ways to Prepare Your Program for Cyber Attacks

A vital component of our nation’s critical infrastructure is the financial services sector, and risk management professionals in this industry understand the importance of protecting an organization against cyberattacks. Recent cyber disasters like the Equifax data breach serve as a sour reminder that it’s not enough to just respond; an organization must have a defined program to protect the business in the face of unrelenting hackers and attackers.

Risk management professionals can take the following proactive steps to protect their organizations and ensure an effective business response when cyber crises strike:

1. Establish a base line

Before building a cyber-crisis plan, the organization must define the levels of acceptable — and unacceptable — risk for operational disruption in each area of the company, and identify the strategies and investments needed to achieve and maintain tolerable levels. While data protection requirements are absolute, the balancing act between operational resilience versus tolerable service outages or business downtime is necessary; vulnerabilities and threats are endless, but the funds to address them are not.

2. Align risk management resources

Cyber-crisis plans need to be developed and maintained in alignment with the requirements and cadence of the organization’s business continuity and disaster recovery programs. A comprehensive approach to an overall program enables risk management professionals to work in tandem with IT, security and business continuity teams to ensure all parties have the same understanding of the cyber-crisis plan, and that it has been well tested and shows readiness and maturity. Such capabilities come only by starting with well-aligned resources and a comprehensive approach.

3. Review current policies, processes and tools

The goal is to understand current capabilities from an operational perspective: if a cyber-threat occurs, how are business operations impacted? A thorough process includes determining whether there is an end-to-end system in place to ensure the protection of all identified data assets.

What gaps have been identified in technologies, facilities, third parties, processes and people? How do they impact prevention, response and recovery? Does the cyber-crisis plan address all the major types of cyber vulnerabilities, with an understanding of the potential outage durations and recovery time objectives? While business continuity and IT disaster recovery plans address business impact, cyber threats represent very different types of disruptions than have typically been considered in traditional plans.

4. Build the plan

A plan should establish a management methodology for how all employees conduct themselves during a cyber crisis. Establish when and how to create a command center to respond to the crisis on a reactive level, with IT physically working to secure information and back up data — but don’t forget about the communications aspect of the plan.

In compliance with regulatory requirements, and as a good business practice, there must be defined processes to notify employees and stakeholders — as well as customers and external entities — of a disruption, outage or breach. One of the toughest — but most important — aspects of a cyber event revolves around (1) who alerts customers; (2) who speaks to the media; (3) who works with authorities; and (4) when each of these activities should happen. Response times and the messaging can impact the business more than the actual event.

5. Design different response and recovery plans for different scenarios

It’s crucial to understand the scope, preparation and identification of the various types of issues that can occur. An organization must effectively orchestrate its response based on each scenario, assigning specific actions to specific individuals as the situation requires.

In the financial sector, three main events to plan for include ransomware attacks, data corruption and data breaches/information theft. All of these scenarios require specific procedures and steps to ensure the proper response — and a swift recovery — for customers and stakeholders, the business and the brand.

6. Ensure validation by testing, testing, testing.

It’s not enough to have a plan on paper; an organization must establish and continuously maintain capabilities to ensure an effective response, and the way to do that is to test it.

Plan tabletop exercises to ensure people are ready, putting responsible teams and individuals in a room and testing their ability to react to various scenarios. Exercise multiple plans under given scenarios to ensure disparate groups will work together in a coordinated response. Run simulations to fully exercise the crisis command center with all of the plans and associated groups involved.

Moreover, consider coordinating recurring cyber-security awareness training for your organization with these tabletops, exercises and simulations.

7. Establish governance

A cyber-crisis plan is not solely IT’s responsibility. To guarantee that people are well prepared when called upon to act, and to ensure an effective response within tolerable levels of risk and business impact, risk management professionals must establish and maintain a comprehensive program across all affected business areas.

Cyber risk management is not an optional activity. It is a critical area that needs to be planned for, governed and exercised — and must be one part of an organization’s overall risk management strategy.