"We believe social networking breaches will continue to make headlines," Lapidus says. "Most businesses haven't done a great job of defining protocol for their employees about what's acceptable and not acceptable to disclose concerning their jobs on social media sites."
Kroll has just released its 2011 Data Security Forecast, and in an exclusive interview about this study, Lapidus discusses:
- Top headlines from the forecast;
- Security gaps that organizations must fill;
- How organizations and individuals can best protect themselves from the top threats to data security.
Lapidus has unique frontline experience helping a wide variety of corporations and organizations safeguard against and respond to data breaches. With an extensive background in organizational development, today he sets direction for the company's continued success in identity theft discovery, investigation and restoration. Lapidus is particularly knowledgeable about the many security gaps - physical, procedural and electronic - common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used. He oversees a highly-skilled team that includes veteran licensed investigators who specialize in supporting breach victims and restoring individuals' identities to pre-theft status.
TOM FIELD: Just to get us started, why don't you tell us a little bit about yourself, your role with Kroll, and your areas of expertise please?
BRIAN LAPIDUS: Sure. I lead Kroll's fraud solutions practice. We deal with data breach response and identity theft, helping consumers deal with the complications around identity theft. We work with both businesses and individuals.
Data Security ForecastFIELD: So Brian, Kroll has just released a 2011 data security forecast. What would you say are the major headlines of this study?
LAPIDUS: I think they are two-fold. I think the first one comes down to social networking. I believe social, we believe social networking breaches will continue to make headlines, and I think this for a couple of reasons. Number one, social networking is a really hot topic right now. You can't read the newspaper or turn on the news without stories around Facebook. All of these organizations are very prominent right now. Second, I think most businesses haven't done a great job of defining protocol for their employees around what is acceptable or not acceptable to disclose concerning their jobs on social media sites. And, finally, I think individual can key that perception that even though they are posting things on social media and social networking sites that that is somehow private. The reality is they are essentially placing a window on their world, allowing people to look right in and see everything that they are posting.
FIELD: So Brian, as you look at the forecast and the results, what surprised you?
LAPIDUS: I think the biggest surprise from my perspective had to do with a recent case, which -- the way it was positioned -- was the threat of future harm is sufficient in terms of a data breach. It's a huge reversal from previous court cases where the plaintiff had to show actual harm resulting directly from a breach.
I also would say that an additional surprise was the red flag rule finally came into being at the end of 2010, but with not so much fanfare. It just sort of happened.
Who's Most Vulnerable to Breaches?FIELD: When you look across public and private sector organization, do you see types of industries or organizations that are most vulnerable to data breaches?
LAPIDUS: When the intent is to actually breach an organization, I think those criminals are equal opportunity offenders. I think the organizations that probably are at the most risk are those that are transitioning to electronic record keeping. So, healthcare, healthcare, education, and probably even some in the utility space as well because there is that transition to electronic record keeping.
FIELD: From what you said about social media, I would surmise that any organization that is involved with social media, which is pretty much everyone, has got a vulnerability they might not be paying enough attention to?
LAPIDUS: Sure. I mean, an organization's biggest risk is right in their employee base, and what those employees decide to share from a social media perspective. The organization has a challenge of, again, putting the social media policies in place, and then making sure that the employee base follows them, and being able to monitor that protocol to make sure that they are doing what they are supposed to do based on policy. If you look at it in the concept of mobile phones, people have the ability to be on social media sites all day and not be on corporate hardware. It is just the challenge of social media and the mobile workforce. Really, this whole issue is compounded as it relates to data privacy and data breach.
Filling Security GapsFIELD: Well you make a great point. That would be among the security gaps the organizations face. So my question to you is: Where are the security gaps that organizations can fill most easily?
LAPIDUS: I think the first one that I would hit on is privacy training. You know we tell people all the time that privacy training for employees is the cornerstone of any good data security policy. I think it's the latest Ponemon study that 67% of survey organizations who experience a breach stated that they aim to prevent future breaches through training and awareness programs.
In addition, about 23% of the healthcare breaches reported to health and human services involve an unauthorized disclosure. So this concept of getting your employees to focus on understanding your organization's protocol and then taking that training enforcing it into their behavior and their natural norms organizationally is really a critical step that can be sold most easily.
I think the second one, from my perspective, is involving data minimization. I often talk about forcing organizations to go on a data diet. Really, making sure that they are only keeping the data that they need to run their business, I think historically businesses have thought "With data, comes power." So we have massive data and it has become less and less expensive to store that data, but really a business may not need it. So really to take the fitness advice and trimming down and going on a data diet is really a good exercise for businesses, because it helps reduces the security gap.
Effective TrainingFIELD: Brian, if I could ask you a follow-up question about the training. We hear that training and education are important. What is the difference between effective training and ineffective training?
LAPIDUS: From my perspective, the effective training has behavioral practice. You know, anybody can read a document and check a box. It takes putting things into practice. We have an organization that we are working with, and the training that they went through had a lot of practice and a lot of opportunities to put the things that were in the training to use. So what I saw that organization have is an entire employee base of risk managers. One of the policies that the organization had was -- nit was on open office space -- everybody had to lock their computer before they left their office. You had to control/alt/delete to lock your screen. And when people left their screens open, the office had printed up flags, so all the employees were flagging the desktop to make sure that if your neighbor didn't lock his screen, they were monitoring it themselves. So it became a part of their culture, which really had a positive effect on their own data security practices.
The Best DefenseFIELD: Brian, if you could boil it down, how can organizations and individuals best protect themselves from vulnerabilities?
LAPIDUS: Okay, let's kind of break it down in steps. I think the first one is run a risk assessment. Find out where your weak spots are and fix them. Know where your areas of vulnerability are. If you know you had issues with physical security in your office, handle it, right? But make that risk assessment a part of your organizational rigor. Make it apart of what you do as a management team to make sure that you're cognizant and constantly aware of what those vulnerabilities are.
That leads into sort of my second play which would be to be diligent. Employee trainings is really, really important, and I think I've probably beaten that over everyone's head a couple of times. But making sure that the training translates into employee action is critical and really, really key point in helping the organization protect itself.
Next, know the laws that apply to your organization, and make sure you've got your own legal counsel and outside counsel on legal issues you've got questions about.
Also, make sure that you know what you're going to do when you have an event. Unfortunately, for a lot of organizations it's going to be about what happens when you have an event, not if you have an event. So if you know how you are going to proceed when the event happens, it makes your organization handle it that much better. It reduces your overall risk both from a security and legal perspective, but also at the end of the day you want to make sure that your reputation and your customers are handled correctly and making sure that you have that program in place is critical.
2012 PredictionsFIELD: Brian, as we've sat here for the last few minutes, we've talked about social media. We've talked about the need for education and training. If you were to look ahead a year, I'm going to ask you for your predictions here. What do you think we'll be talking about when we look ahead to the 2012 data security forecast?
LAPIDUS: I'm far from a fortune teller, so these are really just sort of my opinions. I guess, it is a little bit of going out on a limb, but I think the big thing that is out there right now is this federal breach notification law. I think that will probably come into play in 2011, but I don't think we will know what that is going to mean for each state at this point. So I think it is something to be cognizant of in 2011, but I think we should probably talk next January and see what the implications are.