Feature
2016: Better known as The Year of
“My Data Went WHERE?”
By Carl G. Cadregari, CISA, executive vice president; Jillian Jill Martucci, CISA, SSCP,
manager, Enterprise Risk Management Division, The Bonadio Group
D
ata losses and breaches are almost an everyday occurrence; pick up any paper, peruse
any news organization and it’s guaranteed that you will find someone (maybe even
someone you know) who ended up in the news. While many data losses could have been
mitigated while in progress or even prevented altogether, the reality is that with 3.6 billion
internet users, the threat and occurrence of loss, compromise or theft of data is only
growing. In this article, we are exploring how data can be lost or stolen, what companies are
doing to help prevent loss and what you may want to do now to help bolster proactive and
reactive controls to help limit and respond to the probable data breach in your future.
Some Good News
The movement to risk assess and adhere to the regulatory compliance requirements such
as those found in the laws surrounding Health Insurance Portability and Accountability
Act (HIPAA), The Gramm–Leach–Bliley Act (GLBA, safeguards for financial data privacy
and security act), Payment Card Industry (PCI) Data Security Standard (DSS) (PCI DSS,
credit and debit card data security standards), NYS Privacy Act and many others has moved
security considerations forward. These assessments have especially enhanced the areas
of data encryption, auditable user access and vendor management. Many organizations
have implemented stronger passwords and we have seen a significant rise in two-factor
authentication, which requires individuals to use a combination of at least two of the three
different validation methods for both remote and local sensitive data access during the
authentication process. Traditionally, the three factors are something you have like a fob, you
know such as a password and you are, like a fingerprint. That said, we have a long way to go
as the bad guys keep finding ways to get around the controls put in place.
The Bad News
The overall computer security picture hasn’t changed much. The Internet is still a very
dangerous place, with more internet connected devices in the world than there are people.
The top data security threats for the year included multiple, massive ransomware infections,
enhanced Trojans and email and website phishing scams, along with the ever-present
malware consisting of spyware, keystroke loggers, website hijackers and some very subtle
pre-texting and social engineering attacks. Professional criminals who have control of
computers are turning our futuristic superhighway into a data capture playground and
don’t you doubt these are the new bullies stealing your lunch money. Every PC, Mac, tablet,
smartphone, server and network is susceptible to malware, Trojans, worms, spyware and
ransomware. Many times, these programs break your computer, but even more hazardous
and concerning is how often they are used to steal and siphon off private, personal, financial
and confidential information, by some unknown thief, as close as the office next to yours (as
with a disgruntled employee) or on another continent.
Antivirus and anti-malware protection software continues to be considered the “silver
bullet” needed to protect your company but the complexity and sophistication of the
attacks can now circle the globe in seconds. Even the best applications are not up to the
task of protecting you against the newly created malware (one recent statistic from
McAfee noted that 1.3 million new ransomware samples and nearly 2 million
new mobile malware samples have been found) that have been churned out
this year. And don’t get us started on weak internet facing systems controls
– Distributed Denial of Service (DDoS) attacks still occur on a regular
basis and continue to be very hard to defend against.
21
Adviser a publication of LeadingAge New York | Fall 2016
(See My Data on page 22)