Our CEO Andy Lunsford was recently interviewed by Authority Magazine. While we have captured highlights from Andy’s thoughts from their conversation, you can read everything he and author Jason Remillard talked about in their conversation, also at Thrive Global.
Three things to love about cybersecurity
I love the dynamic nature of the cybersecurity industry. I consider myself a lifelong learner and everything in the cybersecurity and privacy world changes rapidly. The best technology, strategies, and solutions today are quickly outdated. In order to stay current in cybersecurity, you need to be willing to learn new things every day. That pace of learning energizes me and makes me excited to go to work.
I love the creative and strategic problem solving required to be successful in the cybersecurity industry. Cybersecurity often feels like a big game of strategy. Everyone is working with limited resources and trying to think two steps ahead of the adversary. Strategic problem solving is one of my biggest strengths and favorite activities. By working in cybersecurity, I am able to use that part of my brain every day.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
I love that solving problems in cybersecurity has real and meaningful impact on people’s lives. Many people spend the majority of their waking hours engaging in professional and personal activities online. The connectivity that is possible today is incredible, but due to our reliance on technology and the connectivity it affords, the business risks and personal risks that come from data breaches increase all the time. It is extremely gratifying to work on solving problems that can benefit so many people.
Critical threats on the horizon to start preparing for
In the very near term, I expect to see a continual increase in nation state sophistication, new adversarial entrants, as well as criminals continuing to accelerate their use of ever more sophisticated ransomware attacks on companies of all sizes. I expect soon we’ll begin to see the deep fake threat being actively applied beyond disinformation — for example, being used by criminals to target executives with more realistic attacks to steal corporate funds.
The most important things to do after a breach to protect their customers
The steps a company should take are very situational to the type of attack, the severity, and the type of business. For example, a ransomware attack for a B2B Fintech company will require a very different response than a string of account take overs for a B2C retail company.
That being said, there are a few general principles that tend to hold true.
- Prepare for these events because they happen to businesses of all sizes. Ideally you have a solution like BreachRx in place that will automate many aspects of the breach response work. Not only will you save your organization time and avoid potential fines, but it will drive down the costs for outside counsel and consultants.
- If you don’t have a robust system in place, call an experienced outside counsel to oversee and guide the response. Most breaches lead to litigation and it is important to that you can utilize attorney-client privilege as soon as possible.
- Do not wipe any of the machines or restore them until a forensic image of each machine impacted has been taken. Preserving evidence is vital at this stage, so that you can fully understand the size and scope of the event. By wiping the machines, you may not realize that the attacker is still on your network in other places and it is much harder to go after the attacker without evidence that you can prove was preserved properly.
- Call the authorities. The FBI and other law enforcement agencies have seen and assisted with countless cyber attacks. Your company might be one of a string of related attacks and sometimes the authorities can provide valuable information to minimize the consequences.
- Beware that paying a ransomware demand may get you in more trouble. Look what happened to Uber, and the US Department of Treasury recently warned that paying ransoms may result in potential sanctions.
How recent regulations affect businesses
Regulations like GDPR and CCPA were part of the driver for creating BreachRx. Over and over again, I’ve seen companies suffer through the consequences of a data breach and these regulations have only intensified the pain. I often describe the scenario organizations find themselves in as one where they are double victims. Not only will a company suffer the direct damage from the loss and recovery of an attack, but because of these regulations, the organizations also face fines and litigation.
To put this into context, think about a scenario where a burglar breaks into your home and steals valuable items from you. In the aftermath, not only do you have to fix anything that was broken and replace your valuables, but what if the government fined you for the intrusion and you were sued by your neighbors? More and more it seems that governments and the general public view data breaches in the same vein that they view fraud. Thus, it is imperative that organizations actively prepare for these events and put systems in place to meet the requirements.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Taking shortcuts companies think are temporary to accelerate some effort or deciding to wait and bolt on security in the later stages of something they’re doing or building. Taking this approach will typically take far longer than taking a bit more time and a few steps up front to plan and then do things right. Also, adding it later makes it far more difficult to ensure security is properly put into place in the end.
The key things a company can do proactively
Use Multi-Factor Authentication (MFA) whenever possible
As we’ve seen over and over again, breaches are inevitable and usernames and passwords are regularly exposed. Everyone has so many accounts these days that people often rely on one or a handful of passwords for their accounts. As I mentioned previously, password managers like Bitwarden and Keepass and third-party identity providers can help you track and maintain more complex passwords, but putting MFA in place makes it that much harder for someone to gain access to your accounts.
Privacy by Design should be the default starting point for any product or process
Every state in the US and almost every country in the world has its own data privacy regulation. It is no longer the case that companies can get away with burying their head in the sand when it comes to privacy considerations. Most organizations find that taking privacy considerations into account in the earliest stages is far easier than attempting to bolt on those considerations after the fact. While the framework is a little dated, Ann Cavoukian’s 7 foundational principles are a great starting point.
Data Inventory and Data Mapping, before you face a privacy or security incident
Just as fundamental as the architectural diagrams you build for your tech stack, it is vitally important that your company knows the who, what, when, where, why, and how of the data’s collection, use, storage, movement, and deletion. Regulations like GDPR and CCPA now require companies to respond to consumer requests to identify the information the companies have collected and be able to delete the data if requested. If your company doesn’t have a full picture of the data it holds, meeting these requests can be a huge chore and potentially result in fines if the requests are not met in a timely or complete fashion.
Privacy policies should be unique to each company
It might be tempting to simply copy and paste a policy from another company, but it is important that the policy your company puts in place is truly representative of how your company handles personal data and equally important that the policy is updated as your company’s practices evolve. Outwardly demonstrating to customers that you care about privacy is a competitive advantage, and it all starts with a good and tailored privacy policy.
Use technology to get proactively ready for the inevitable incidents ahead
It is not enough to simply plan to call outside counsel after a cyber attack or privacy incident occurs. Many of the breach notification regulations have short timelines — for example, GDPR requires notification in 72 hours. These timelines are so short that it is often hard to get outside law firms and consultants up to speed fast enough to meet these tight deadlines.
Prior to experiencing an incident, your team should put technology in place, like BreachRx, that takes into account the regulations that apply to your company, all the contractual obligations, and any internal and external policies that create response expectations. It is important that the technology you put in place is dynamic enough to keep up with the pace of the ever-evolving privacy and cybersecurity needs your company will face.
BreachRx, the company and SaaS platform
At BreachRx, we are transforming the crisis of privacy and cybersecurity incident response into a routine business process. Unfortunately, it is inevitable that privacy incidents and data breaches will happen to all companies no matter what technology they put in place. The regulatory and contractual requirements companies face when they experience these incidents is intense. Customers and regulators demand more speed and more transparency than ever before when it comes to managing these incidents.
We’ve created a platform that automates the workflows for companies, so these events are less disruptive. Not only does this drive down the costs for the companies using our platform, but it ultimately benefits the consumers whose information may have been impacted by an event. If companies can handle these events faster, customers will be able to take measures to protect themselves more quickly.
Take the risk out of your breach response
Automate your incident response today