The Expert's View with Ronald Raether

Breach Prevention: Beyond Technology

How Security Pros Can Address the Human Factor
Breach Prevention: Beyond Technology

Too many organizations fail to adequately address data security issues until after a breach occurs. But even those that proactively address data security may only be dealing with a part of the solution.

See Also: Realities of Choosing a Response Provider

From my geek prospective, I have to admit it is more interesting to talk about firewalls, router security, mobile device management, encryption and the like. But technical security is not enough. Companies need to address the weakest link in almost any security scheme - the human factor.

Think of it this way: What if you built the most secure home in the world, but then provided criminals the schematics, keys and keypad codes? That's exactly what companies are doing if they fail to draft clear policies, provide proper training and perform testing and audits.

Acknowledge the Risks

Denial is a pervasive sentiment in data security. Many organizations think they will never be the target of an attack or doubt that their employees would ever willingly give up the keys to the kingdom.

One of my good friends does security testing for major companies, including a nuclear facility. He explained to me that once he was able to gain access to the plant's schematics by pretending to be a computer service technician - avoiding security protocols from the front door to the passwords on the head engineer's computer terminal. But this anecdote is not unique or just in the context of third-party testing.

Many data breaches start with some form of human error. The top attack vectors remain non-technical, such as abuse of system access or privileges, use of stolen credentials, social engineering, bribery, embezzlement or skimming.

For example, spear phishing has long been a favorite of hackers. You've probably been a target - that e-mail that says you won a prize, have a security issue that needs to be resolved or are the subject of a Better Business Bureau complaint and need to respond. Once you click on the link, malware is loaded to your computer and the hacker now has access to whatever the user can access. This type of attack was apparently the cause of the massive breach at the South Carolina Department of Revenue.

Proper Policies

Given the commonality of these and similar attacks, why would anyone spend the money on building a secure house only to give the keys away? But that is precisely what happens when companies fail to have the proper policies - as well as sufficient training, auditing and testing - in place.

The place to start is having the proper policies. The list can be long, depending on the complexity of the company's systems.

Whether in a single document or as separate policies, systems users should be instructed on recruiting and hiring; acceptable use; social media; remote access; termination; physical security; incident response and other issues. These policies will need to be tailored to the culture of the company.

A policy written in legalese won't help. We need employees to understand the instructions and guidance not only for later enforcement, but, more important, so that they can comply with them.

The clarity of the policies and related procedures is essential to day-to-day compliance. Sufficient training is important and a key factor of a sound compliance program.

All employees should be instructed on what is permitted and prohibited. Best practices - and warnings as to current threats - should be communicated regularly.

A virtual resource room should be established to address frequently asked questions and reaffirm updates on current trends and threats. Employees should be reminded that they are ultimately responsible and will be held accountable for any violations.

Making It Clear

It's essential that both the training and the policy be easily understood by employees.

In 2006, I wrote an article on what should be addressed in an incident response plan. These basic requirements have not changed over time and are in place at most organizations. One key component is making it clear who to contact in the event of a breach.

Recently, a client had a breach involving data it was handling for one of its customers. The sales representative discovered the breach and went directly to the customer. This may not seem like such a big deal. However, having an effective communication plan is essential to data breach response. By not following the protocols, we were forced to respond at the same time we were conducting the investigation.

Clearly, having a policy and training is not enough. The policies should be tested and audited.

In the above example, I know that the sales representative's intentions were good. I also know that he had forgotten about the incident response plan and was not familiar with the details. Testing and auditing may have reminded him to access the virtual resource room or other materials that would have guided him on the company's policies for reporting an incident.

For other issues, such as dealing with spear phishing, use of social engineering toolkits and other devices can aid in such testing. Ultimately, you may not stop the employee from clicking on the malicious link, so data access monitoring becomes essential.

There is no magic pill to preventing all breaches or to mitigating the vulnerabilities presented by the human factor. However, ignoring the issue or thinking that this is not an issue for your company is not the answer.

When a breach occurs, regulators, plaintiff's counsel, the media and others will look to whether enough was done.

(Ronald Raether is a partner at the law firm Faruki Ireland & Cox P.L.L. in Dayton, Ohio, where he specializes in technology and privacy issues.)

About the Author

Ronald Raether

Ronald Raether

Partner, Partner at Troutman Pepper

Ron Raether leads the Cybersecurity, Information Governance and Privacy practice and is a partner in the Consumer Financial Services practice group at Troutman Pepper. Ron is known as the interpreter between businesses and information technology, and has assisted companies in navigating federal and state privacy laws for over twenty years. Ron's understanding of technology led him to be involved in legal issues that cross normal law firm boundaries, including experience with data security, data privacy, patent, antitrust, and licensing and contracts. This experience allows Ron to bring a fresh and creative perspective to data compliance issues with the knowledge and historical perspective of an industry veteran.

Ron's involvement in seminal data compliance and data use cases has helped define current standards in several areas of the law. He assisted one of the first companies required to provide notice of a data breach and has since successfully defended companies in hundreds of class actions and regulatory investigations. Ron represents clients in a broad range of technology and data privacy matters including data aggregation and analytics, mobile applications, de-identification/anonymization, including correlating data from multiple connected devices, "connected-things (IoT)," electronic crash- and consumer-reporting systems, and payment technologies. Ron also advises on pre- and post-incident compliance concerns ranging from the development of incident response plans and workflows, guiding clients through immediate forensic investigations, coordinating initial crisis management, which includes navigating clients through the maze of state and federal notification requirements, addressing post-incident aftermath, and responding to regulatory inquiries. Balancing privacy, cyber security and business functionality, Ron's approach to data governance is uniquely designed with the industry in mind as it adapts to the ever-evolving technological and legal landscape.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.