This week’s coverage includes news about recent breaches — including the IRS, GameStop and UK payday loan company Wonga — plus upcoming GDPR legislation, the legal and ethical implications of ransomware attacks, and assembling the right risk management team to deal with insider threats…
Breaches are continuing to make the news, and last week was no exception. There have been a number of notable data breaches recently, including a possible breach at GameStop, a breach at the IRS of its Free Application for Federal Student Aid (FAFSA) tool and at British payday loan company Wonga. We’ll start our dissection of this week’s top security stories with a look at what happened at Wonga and how this applies to the upcoming GDPR legislation.
Bring on GDPR: Wonga blunders in data breach
Wonga advised 270,000 of its customers that there “may have been illegal and unauthorized access to personal data,” but after a week of delays, the company began notifying customers with some inconsistent information and advice. Richard Henderson, Absolute’s global security strategist, spoke with SC Magazine about the notification issues:
“With so many brands being breached so frequently, consumers need more stringent controls and protection in terms of detection and notification so that organisations start to take this threat seriously.”
“With enforcement just over a year away, it really is disappointing to see organisations continuing to fail. These regulations will hopefully see security efforts tightened everywhere to ensure that every vulnerability is locked down, businesses have full insight into who holds their sensitive data and that it is protected no matter where it resides.”
As Richard noted in a follow-up with Real Business, “it’s the next steps that will make or break a company,” undermining the importance of real-time detection, remediation capabilities and breach response plans in minimizing the impact of a data breach.
Legal and Ethical Implications of Ransomware
We’ve participated in a lot of ongoing discussions about the growing threat of ransomware. Absolute’s Richard Henderson recently contributed an article to IT Pro Portal about the legal and ethical implications of ransomware. The article covered a laundry list of legal and ethical questions of unintentionally, or intentionally, passing along ransomware — which essentially amounts to a new way of extortion. Richard also offered some real-life examples about how ransomware could be passed along to others.
The post also examined the legal implications under the Computer Fraud and Abuse Act (CFAA) in the U.S. and the Computer Misuse Act in the UK. The bottom line, as Richard puts it, is to take the time to stop ransomware, instead of addressing it:
“Ransomware isn’t going away because people who get hit continue to pay. So, don’t be one of those people who gets hit.”
Detecting Insider Threats is Easier Than You Think
Insider threats continue to be the top source of risk to businesses, accounting for the most serious data breaches in the past year. As an article in CSO Online pointed out, the insider threat still connotes an employee of the company, while the intruder may be someone else entirely. The insider is merely a means to an end. The question is, how to detect and deter the insider threat?
The article goes on to talk about user access, monitoring technologies, governance practices, and awareness training. Jo-Ann Smith, Absolute’s director of technology risk management and risk privacy, also talked about the importance of regularly updating insider risk management policies:
“Once in place, it’s then critical to create and maintain a risk register that both qualifies and quantifies risks for remediation, and subsequent mitigating steps. To demonstrate progress, the team should create KPIs, and then audit and report on risk levels to show status and improvement year over year.”
Absolute Next Week
Chris Covell, Absolute’s CIO, will be joining the Oregon chapter of InfraGard on April 27th for an in-depth discussion on a CIO’s perspective of the important role that information risk management plays in budgeting and executive decision-making.
Chris will explain how information security professionals can effectively connect and provide business value for executive teams, boards of directors and external stakeholders. Stay tuned for more insights from this event.
Want to stay on top of the latest developments? Join us on Twitter and LinkedIn for more insights and to continue the conversation. Questions? Comments? Topic suggestions? Email us at firstname.lastname@example.org.