Friday, November 22, 2019

The Gift Of Post Data Breach Optics

As cyber professionals, our job is to think about preventing breaches. We have controls that have put in place. We measure the efficacy of those controls. And we have a backlog of work that remains to be done. 

During an incident, we work to respond to the incident. If that incident rises to the level of a data breach, we work within the context of an enterprise crisis action team to contain every aspect of that breach, technical and non-technical.

But how often do you think about what happens post-breach after the exhausted response team has gone home?  By this, I mean the regulators. Depending on your industry and location, you'll likely have state and/or federal regulators knocking on your door.

A November 2019 FTC complaint against a Utah company, Infotrax, provides a unique and valuable view into how regulators will view a security program post-breach. 

Regulators aren’t just going to look at the things that your program has done right.  They are also going to look at the things that have been left undone. You know, the things that are either sitting on your backlog right now, or worse yet, not there at all.   

Remember that the intent of this post is to not to comment on the findings but have you understand how regulators think. 

In Infotrax’s case, the FTC regulators determined in paragraph 10 of the complaint that these included failing to:

    inventory and delete personal information it no longer needed;

    conduct code review of its software and testing of its network;

    detect malicious file uploads;

    adequately segment its network; and

    implement cybersecurity safeguards to detect unusual activity on its network.

In paragraph 11 of the complaint, the FTC regulators determined that “respondents could have addressed each of the failures described in paragraph 10 by implementing readily available and relatively low-cost security measures.” I’ll leave it to the reader to determine the scope of work for each of the above paragraph 10 line items in the context of the meaning of low cost.

As part of the plea agreement, Infotax has a 20 year order requiring them to take a number of certain actions. Each violation of that order carries a $42,530 fine. Again, that's each violation. 

The MySpace social network also had a similar 20 year order from the FTC.  As FTC Commissioner Christine Wilson points out in her concurring statement, "[p]rior to the FTC action, MySpace was the most visited social networking site in the world, but it was subsequently overtaken by Facebook.  At least one publication predicted this outcome – when reporting on the order, Forbes wryly titled its article, 'The FTC Has Faith That MySpace Will Be Around In 2032.' "

As Tripwire writes, "if the data breach doesn't kill your business, the fine might."

A single breach might bring scrutiny from multiple regulators. If we are to assume breach, we’ll also need to assume “regulators” and prepare for the optics that they bring on the things left undone.

Perhaps it’s time to go back and review that backlog as well as the current program prioritizations with executives for “reasonableness” using the same optics as a potential regulator. 

Early visibility and preparation around the optics now also might be a gift in the event of a future breach. 

There may be some hard conversations on the horizon. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment