Rising enterprise costs under CCPA
The CCPA states that a consumer has the right to sue if their data is leaked during a breach and it is found that the company did not “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” This means that a data breach will not only result in a loss of consumer trust, it will come with heavy financial consequences. As it stands, the typical costs of a cyberattack (which includes IT response, forensics and recovery, insurance and notification) already averages around $1.67 million. Now companies need to be prepared for the additional financial burden of litigation and settlement payouts.
While enterprises have been given a one-year exemption on some aspects, CCPA states that once the full force of the regulation comes into play, consumers will have the right to make requests that extend to the previous 12 months. Given that, and the significant amount of time it takes to roll out new cybersecurity programs at scale, some organizations have already begun to implement the following practices.
Defending with zero trust
The complexity of proper data management and protection is increasing as global work structures continue to evolve. As systems become more interconnected and employee mobility continues to rise, data not only travels more frequently, it often operates outside the bounds of traditional forms of security. Security models that worked well in the past – like firewalls – are no longer as effective at minimizing the risk of cyberattacks. Instead, organizations are turning to the concept of “zero-trust” as the basis of cybersecurity frameworks.
Traditional security models assume that everything within an organization’s network can be trusted by default. A zero-trust model, on the other hand, assumes that all data, devices, apps and users inside or outside of the corporate network are inherently insecure and must be authenticated/verified before being granted access. A zero-trust framework calls for companies to stop utilizing default configurations and instead operate with a “trust nothing” mindset that requires continuous monitoring of all network communications, users and systems. Zero-trust draws on tools such as multi-factor authentication, end-to-end encryption, identity access management, orchestration and other comprehensive system permissions and safeguards.
Avoiding use of consumer technologies
While zero-trust is a dynamic and holistic architecture that underpins cybersecurity processes, it is still important for businesses to evaluate all technologies that may come into contact with consumer data for weaknesses. Under CCPA, companies not only need to seek permission to collect and process customer data, they must make that personal data available to any tools (third party or otherwise) that they use internally for collaboration. This is a much bigger issue than it may seem from the outset — teams often share documents using public cloud-based platforms like Google Docs. They also may share data when communicating internally via channels like email, and messaging apps like WhatsApp, Slack, Microsoft Teams and others. All of these points of contact create an inherent risk, especially if the technologies being used lack proper cybersecurity protocols.
The successful hack of Jeff Bezos’ phone in January was a prime example of how the use of technologies that are not sanctioned by IT and cybersecurity departments can expose enterprises to cyberattacks. Bezos made a critical mistake by using WhatsApp (an app best for personal use) on a corporate phone that was connected to corporate data and systems. This incident demonstrates two things: first, the ease with which a bad actor can access company data through a single weak point. Second, the need to minimize shadow IT and enforce the use of tools built for enterprise security. The hack particularly highlighted the fact that not all end-to-end encryption protocols are equally effective – this is why market-leading technology providers and experts are working together to create an industry standard for encryption protocols (e.g. Messaging Layer Security). However since these industry standard protocols are still being developed, enterprises need to think beyond end-to-end encryption technology to ensure proper protection. This shift even goes beyond the enterprise into the government sector – the United Nations took it a step further and publicly announced that the use of WhatsApp is now banned for internal communications since it is “not supported as a secure mechanism.” A common thread amongst these tools is that end-to-end encryption is a basic requirement, not a special feature. These types of tools often have the zero-trust ideology at their core so they approach security holistically – from deployment (mostly on-premise) to cryptography protocols (advanced tools use the “forward secrecy” protocol where new encryption keys are used for every message and file sent, and every call made). A few examples of tools like this that are being used include, Joiqu, PCloud, Smartsheet and Joplin.
Investing in cyber insurance…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
