The Online Trust Authority celebrated Data Privacy Day 2014 by holding a series of town hall events across the country last week. My colleague Sarah Jenan and I were fortunate enough to be able to attend the San Francisco event at the Union Square Marriot on Thursday. A highlight of the morning was the session titled Security by Design: What Businesses Should Know to Help Them From Becoming a Statistic.
Moderated by Tim Rohrbaugh, chief information security officer at Intersections, the panel brought together special agents from the FBI and Secret Service (who will remain anonymous), along with representatives from two consumer privacy advocacy groups: Neal O’Farrell, the executive director of the Identity Theft Council, and Beth Givens, director of the Privacy Rights Clearinghouse.
The consensus on the panel was that the kind of massive data breaches we’ve seen recently at Target, Neiman Marcus and, most recently, Michaels stores, is a trend that is not likely to go away anytime soon. Law enforcement is seeing a huge array of network intrusions both here in the U.S. and globally. Educating the business community on how to better secure IT resources to deter attacks is a key focus of law enforcement, but both government representatives stressed that increasingly they’re placing an emphasis on helping IT professionals understand best practices for when a breach does occur. What kind of information can victimized companies provide to aid in remediation, investigation and getting a positive outcome – here is where the experts believe progress can be made in successfully tracking and stopping malicious hackers.
Continuing in this vein, several panelists made the point that it’s a very good idea for IT and data security professionals to reach out to and establish contacts with law enforcement proactively. Having a computer incident response plan in place, and sharing it with counterparts within the law enforcement community, is proving to be the most effective way to mitigate damage from attacks and recover from them quickly. Moderator Rohrbaugh pointed out that his organization invites in cybersquad law enforcement when running through incident response training precisely because the FBI and Secret Service will need to be involved if a real-life breach incident were to occur. Knowing who in law enforcement you’ll be dealing with in case something goes wrong – having that relationship established up front is very valuable.
Education may well be the key to saving companies from data breaches – here’s an eBook about DMARC email authentication to keep your emails safe and secure!
Data Privacy Day is a timely reminder for all organizations to reflect upon their data security or data breach protection, especially so with the release of the 2014 Data Protection & Breach Readiness Guide by the Online Trust Alliance. The report discovered that 2013 was the year with the highest recorded number of data breaches, with an estimated 740 million records being exposed. Other notable data breach statistics:
- 89% of data breach incidents could have been avoided with simple security best practices
- 40% of the largest data breaches recorded took place in 2013
- 76% of the data breaches were due to weak or stolen credentials
Exposed records included credit card numbers, email addresses, log in credentials, social security numbers and other personal information, leaving both individuals and business open to significant financial harm.
The guide provided 10 Questions of Risk Assessment so readers could do a quick self audit of whether they were prepared for a data breach. It also provided 8 data security best practices that businesses should implement today.
- Email authentication through the implementation of SPF, DKIM and DMARC
- Implementation of Secure Socket Layer (SSL) for all data collection
- Upgrading to Extended Validation SSL (EVSSL) certificates for all commerce and banking applications
- Reviewing all password management policies and support for two-factor authentication
- Encrypting data and disks
- Encrypting communication with wireless devices
- Default disabling of shared folders, multilayered firewall protection etc.
- Creating a BYOD Plan and policy
The plan also covered data breach incident response planning, a topic that Craig Spiezle, President of Online Trust Alliance spoke about in our annual digital messaging conference in 2013. When preparing for a data breach, it is vital for businesses to:
- Create an Incident Response Team
- Establish vendor and law enforcement relationships
- Have a communication plan
- Take into consideration international data breach notification laws
In order to benchmark and encourage adoption of data security best practices, the Online Trust Alliance publishes an Online Trust Honor Roll audit every year, of which Message Systems was proud to be listed in 2013. As a member of the Online Trust Alliance, we take our role in educating the industry about email authentication and DMARC seriously. In the past year, we’ve hosted a webinar about The Benefits of DMARC Email Authentication, published an e-Book on How DMARC Is Saving Email, as well as numerous blog posts about DMARC, SPF and DKIM. We’ve also released a free email validation tool called The Validator, which is a free DKIM validation, DMARC Validator and SPF checker tool to test your email server for compliance and ensuring message delivery. In fact, if you are looking for an email software or email system that adheres to the DMARC standard, feel free to talk to our experts.
As stated in the 2014 Data Protection & Breach Readiness Guide:
Business leaders need to recognize if they collect sensitive data, they will realize a data loss incident. Not being prepared is a recipe for failure, and loss of consumer trust.
Want some additional information on DMARC email authentication? Watch the DMARC webinar by Groupon, ReturnPath and Message Systems!