Data means a lot of things to a lot of people. There’s “Big Data” where super computers analyze huge quantities of information from the far reaches of space. There’s “Personal Data” where Amazon wants to know if it should offer your favorite snack foods at a discount before your favorite sports team has a game. There’s “metadata” which is literally “data about data”. And there’s everybody’s favorite android, Lt. Cmdr Data.
Insurers, in particular, are a nexus for data. There is almost no part of your business that doesn’t rely on acquiring, storing, and analyzing it. In most cases, the data is of a sensitive financial, medical, or business-related nature.
With the implementation of the California Consumer Privacy Act (CCPA), increasing focus from regulatory bodies like the New York Department of Finance, and the ever growing quantity of niche service providers, protecting the data passing through your organization becomes even more important and challenging. Nowhere is this more apparent than in the Verizon 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
Some key takeaways include:
- There were 2,013 confirmed data breaches in 2019. That’s 5.5 breaches EVERY day and that’s only the ones we know about.
- C-Level executives are twelve-times more likely to be the target of a social attack
- Financial gain is the most common driver of data breaches (71%) with the next highest motive being espionage (25%)
- Despite the strides made by security vendors, ransomware is so common, it is unlikely to be mentioned in media unless the target is high-profile.
- Poor security hygiene (basic blocking-and-tackling) is still responsible for more security incidents and breaches than explicitly targeted attacks against a person or institution.
Where does that leave executive management who are ultimately responsible for being good stewards of their client’s and customer’s data? How do you avoid becoming one of those organizations who must send a letter to every client saying “We’re sorry we lost your data.” How do your CIO’s and CISO’s sleep-at-night (hint: not very well)?
The answer is the rapidly-growing and absolutely necessary adoption of “Data Governance”. Fundamentally, data governance is knowing the following characteristics of your data.
- When and where does data enter your environment (ingress)?
- When and where do we classify, process, and store data after it enters our environment?
- How do we protect it while it is in our possession?
- How do we securely transmit it when necessary and who do we share it with (egress)?
- What vendors do we share our data with?
Each item will require a healthy discussion with both information technology and line-of-business team members. The examples below help illustrate where these overlaps occur and common areas for control failures. All examples are taken from real cybersecurity reviews performed by JLK Rosenberger in 2019.
- Eligibility data for ABC Co. is submitted by a payroll company to Acme Insurance
- Bill, a customer account manager, is likely to know which payroll companies submit data for which clients and whether any clients are planning to change providers thereby needing a new configuration on the firewall or other security appliance.
- Jenna, a senior system administrator, is likely to know that Payroll company ABC had an issue with their secure FTP server and requested unencrypted FTP access 3 months ago. Since everything has been working and business disruptions are frowned upon, SFTP was never reinstated, but now anybody looking for a weak spot sees a welcome mat into your network. An unencrypted FTP server that ANY individual could submit files to was one of the scariest discoveries of the May 2019 Wolkers-Kluwer CCH breach. https://krebsonsecurity.com/2019/05/whats-behind-the-wolters-kluwer-tax-outage/
- Both team members need to work together to determine whether there are stale firewall rules for companies or services that are no longer needed or whether some firewall rules should be locked down.
- After receiving the payroll data, it is manually imported into Eligibility Wizard 9.
- Amy, a data analyst, is likely to know which imports routinely have business-data issues or other special characteristics such as being a dump of all employees data when only a small subset is required.
- Steve, an IT manager, is likely to know (hopefully with the help of a data-discovery tool) that when John does the import, he unzips the file on his desktop (or laptop if he’s at home) before importing it. What happens after that? Does the payroll file stay on John’s computer indefinitely? Is his computer encrypted? If you were an employee at Facebook in late December or a Medicaid patient in Oregon, the answer is not great. https://www.bloomberg.com/news/articles/2019-12-13/thief-stole-payroll-data-for-thousands-of-facebook-employees
- Both team members must work together to make sure John is able to work efficiently BUT he does not put the company at risk by leaving payroll data in unencrypted text files all over the network.
- Once the data is imported to Eligibility Wizard 9, it is stored in the database.
- Bob, a business analyst, knows the data is secured in the database because she can only see the last 4 numbers of the SSN in the application. However, she also routinely exports a large subset of data to work on some pivot tables in Excel including full SSNs. Since the data is changing and pivot tables often require experimentation, there are lots of copies of this spreadsheet on the shared network drive where things like the company calendar and football pool are stored. Bonus points if he also uploads it to his personal Office 365 account to use PowerBI.
- Susan, a network administrator,(again, hopefully with the right data discovery tool) is able to proactively manage this by giving the line-of-business team member a private share with very strict permissions and automating the clean-up of his desktop to make sure files are not left behind. She is also able to discuss adding a PowerBI license to Bob’s corporate Office 365 account so he does not use his personal one.
- Both team members must work together to make sure Bob is able to manipulate the data to make the best decisions for the organization, but does not leave a trail of social security numbers behind him.
- A monthly report is run and sent to a client via the organization’s approved platform, SecureMyFiles!
- Samantha, a customer services manager, runs a report for one of their clients that includes full social security numbers due to a limitation of Eligibility Wizard 9. She sends this report to the client once a month.
- Roberto, a helpdesk technician, is likely to know that Amy is supposed to send this report via an encrypted e-mail or secure file service, but Amy opened a helpdesk ticket because her client couldn’t make the portal work and didn’t receive Amy’s e-mail so Amy sent it via her G-Mail account as a PDF attachment. Later that day, Amy falls for a phishing scam on her G-Mail account.
- Although Amy’s corporate e-mail is protected by an industrial-grade message security platform, her G-Mail is not. Line-of-business and IT must work together to lock-down common exit points for sensitive data while still supporting the culture of the organization. A guest-WiFI network with no connection to the corporate network AND restricted to personal devices only is one way to let Amy check her G-Mail account without risking the organization’s safety.
- Eligibility Wizard 9 handles 95% of our eligibility calculations, but one of our clients requires completely unique calculations that cannot be handled by Eligibility Wizard 9.
- Kimberly, the client manager with the special needs, finds a vendor who claims they can calculate the eligibility with their cloud product CobraCalc. Kimberly signs up for CobraCalc, gets a data export from Eligibility Wizard 9, and uploads it.
- Paul, the CIO, finds out about CobraCalc and discovers it is hosted on AWS with the data in an open storage container anybody can see along with the data of CobraCalcs 27 other customers. Similar to what happened to Netflix, TD Bank, and Ford in 2019. https://threatpost.com/leaky-amazon-s3-buckets-expose-data-of-netflix-td-bank/146084/
- Both team members must work together to identify a solution to Kimberly’s business challenge that does not violate their organizations standard-of-care. Realistically, if CobraCalc suffers a breach, will the client be upset at CobraCalc or you?
The real-world examples above show relatively common and simple situations with high levels of risk. To mitigate these risks, a combination of technical controls (firewalls, endpoint security, data discovery tools, data loss prevention, vulnerability scanners, etc.) and operational controls (account reviews, coordination with HR, data classification, security awareness training, etc.) are needed. Most organizations need assistance in one or both of those areas due to the increasing sophistication of attackers and specialized technical knowledge needed to keep abreast of the information security landscape.
Contact HBCG today to inquire about our cyber-risk and IT Assurance offerings including:
- Cybersecurity Assessment
- Data Discovery and Classification Assessment
- SOC-family of audits (SOC 1, SOC 2, SOC for Cybersecurity), specializing in year 1 and “A client said I need a SOC immediately, now what?”
- Continuous IT Assessment (leverages a dedicated audit appliance and enterprise-grade tools to empower internal IT departments of small-to-midsized organizations)