2020 was a wakeup call for more than healthcare pandemic preparedness. It
also exposed some huge security and privacy vulnerabilities, that many
cybercrooks have exploited thousands of times throughout the year, for
remote workers; both those work-from-home (WFH) employees, along with those
mobile workers who have largely been going under the CISOs’ and information
security departments’ radars for the past two to three decades. Will
cybersecurity and privacy pros heed the lessons learned from the awakening?
Throughout 2020 I’ve been writing my 20th published book,
“Security & Privacy when Working from Home & Travelling,” published
by CRC Press. Hopefully I can get the final edits completed by the end of
January to allow for a Q1 or Q2 2021 publication date. At a current 600+
pages, which I’m tightening up and making more succinct now, you can
imagine that the number key issues that organizations need to address go
well over 100. Which they do, and are detailed in the 23 chapters of my
book!
However, if organizations addressed at least the following three issues,
they would dramatically reduce their cybersecurity threats and
vulnerabilities, reduce privacy breaches and information security
incidents, improve compliance with their legal responsibilities, reduce
successful cybercrime attempts, improve employee awareness (resulting in
increased employee satisfaction), and also be viewed as a more trustworthy
organization, and an organization where employees want to work and stay
working because privacy and cybersecurity for employees are as high of a
priority as cybersecurity and privacy compliance is for the organization.
In the past 5-10 years information security training vendors have moved to
narrowing focus to largely phishing awareness, and password security. Plus,
there must absolutely be ongoing awareness reminders, activities, and other
types of communications and actions to keep security and privacy at top of
mind for all workers with access to any portion of the organization’s
information systems (data, applications, servers, networks, etc.). Phishing
and passwords are certainly important and should be covered, but there are
so many additional areas where all employees need to be aware. In fact,
this trend motivated me to build a new SaaS training and awareness services
business with my 23-year-old son, that we have been building throughout the
year, and will launch in January, 2021. Too many organizations depend
solely on technology for security protection and privacy preservations; too
many technology vendors perpetrate the false statement that technology
alone can address all security and privacy issues. That has never been
true, and with today’s remote working world, there is absolutely no way
that security technology alone is even close to being enough. The human
component is huge, and one human lapse, due to lack of awareness from lack
of training, can bring down a huge organization
I have long advocated making “Responsible Computing” (including information
and cyber security, and privacy) the 4th “R” in our education systems’
curriculum; starting at preschool…as soon as a child can hold or interact
with a computing device. We must ensure that our children learn from the
earliest ages about how to secure their personal data, and their privacy,
and that of others. This cannot be a one-off type of activity that gets
done, and then is forgotten, or revisited after a long year has passed.
Responsible computing practices must become woven into our education
systems in everything that our children learn and do, just as speaking and
wRiting well, understanding aRithmetic, and Reading at levels that will
help them to truly understand STEM, the arts, history, civics, and every
other topic that will help our children to be most successful. So, to put
it more succinctly: Make information/cyber security and privacy education
curriculum integral parts of all lifelong learning, by default. If this is
goal is accomplished, I know the resulting knowledge and associated
informed behavior changes would make everyone safer online, and with all
forms of information. It will also become an expected part of
organizations’ training programs as well.
Resolve to create or improve your information assurance education program
(training, awareness activities, etc.) in 2021.
There is still a checklist mentality in most organizations when it comes to
vendor/third-party and supply chain security and privacy management and
oversight. 2020 has demonstrated that organizations cannot just tootle long
with the same old status quo vendor oversight practices. Think about this:
those dozens, hundreds, or even thousands of vendors (to whom organizations
have entrusted access to their data, applications, systems and/or networks)
were also thrown into a new remote working world in 2020. How are they
handling this situation? Do they now have new vulnerabilities, and are
facing new threats, as a result of how their workers are doing risky
working from their homes, or from some other location? Have they kept your
organization updated on changes in their organizations that would impact
the security and/or privacy of your organization and/or customers, patients
and/or employees?
Every organization must address this important type of insider threat: the
threats, along with the vulnerabilities, that third parties throughout the
supply chain bring to an organization. If they do not, they face
experiencing some significant security incidents and privacy breaches.
Consider these survey and research findings:
-
Mastercard's RiskRecon and the Cyentia Institute
2020 research reports
only 14% of those surveyed trust that third parties’ actual
security in practice matches responses from their questionnaires
long-established types of vendor security questionnaires.
-
A recent
Gartner report determined a data breach
is an average of $700,000 more expensive when a third party is
involved.
-
A 2018 Ponemon stud
y found that almost 60% of companies experienced a data breach
caused by one of their vendors/third parties.
Resolve to create or improve your third-party risk management (TPRM)
program and associated practices in 2021.
Many organizations are still using the exact same remote and mobile working
security and privacy policies today as they were in December 2019. Many
more organizations still have not created documented remote and mobile
working security and privacy policies and procedures that are customized to
fit each of their own organization’s unique business environments. And way
too many flawed assumptions are being made about remote workers (employees
and contractors).
Consider just a few questions:
-
Think your organization doesn’t have to worry about the security
implications of 5G because you’ve not implemented it? If your
remote workers are using it, then you now have parts of your
business systems environment where it is used.
-
Think that IoT is not an issue to address in your organization? If
you have remote workers, I’d bet a bundle that you have a large
number of IoT devices that are within their home wireless networks,
and/or in their work area vicinities, that are now incorporated by
default into your business systems, where they are bringing threats
into your organization and creating vulnerabilities for which you
are not aware.
-
Believe that you have no AI use to worry about? Think again if your
remote workers have apps on their computing devices, connecting to
clouds that use AI, and/or have IoT devices that incorporate AI
within their functions.
And the list could continue on for pages.
Resolve to create or improve your remote and mobile working policies and
associated practices in 2021.
If each organization makes these three actions a priority to perform in the
coming weeks, they will substantially reduce their security and privacy
risks, and as a result their breaches and incidents. The organizations can
then identify the additional actions to take to further improve their
information security and privacy management program maturity.
Rebecca Herold
CEO & Founder, The Privacy Professor; CEO & Co-Founder, Privacy
Security Brainiacs
www.voiceamerica.com/show/2733/data-security-and-privacy-with-the-privacy-professor
