Look left. Look right. Chances are, you know someone whose personal or corporate information was compromised as a result of a data breach. Facing mounting pressure to stem the rising tide of data breaches, especially in light of the upcoming GDPR’s stringent data security penalties, companies are beginning to take a hard look at whether the technologies they’re using are up to snuff.
But what if the issue doesn’t lie just with the technology, but with the people managing it? Randy V. Sabett, CISSP, argues that any company looking to comply with data protection regulations needs to consider the human side of the problem as much—if not more—than the technological side. Sabett is a former NSA crypto engineer who recently served as a commissioner of the Commission on Enhancing National Cybersecurity for the Obama administration. He currently serves as vice chairperson of Cooley LLP’s privacy and data protection group.
Sabett recently sat down with Logikcull to share his thoughts on the data security hurdles companies face when trying to comply with the upcoming GDPR and current data security laws.
Logikcull: Obviously, a lot of companies that are doing business in the states or internationally have to comply with a number of different data security standards, and all of them require them to have certain data security safeguards in place to protect client data. With all this confluence of laws & regulations at play, what standard of security should companies be shooting for in order to remain compliant?
Sabett: That’s the million-dollar question! It’s certainly not something I could tell you in one or two sentences, and obviously being an attorney I’m going to have to say that it’s an “it depends” kind of answer, which is what I tell our clients in the sense that if I’m holding tons and tons of data, but none of it—even under the new GDPR and provisions—none of it is even sensitive or even personal data, that’s a much different use case than if I’m holding what I call the “radioactive data”—the name & credit card number & the driver license number.
Logikcull: What considerations would influence how you would advise clients on something like that?
Sabett: I think that the first “it depends” is that it depends on the sensitivity of the data, and the second “it depends” is that it depends on what your use case is. In other words, how are you using the data, what’s the relationship with the data subject, your plan on utilizing that data. All of those questions then drive what do you do to protect it, what do you need to put into place. This is stuff that security people have been dealing with for a while in terms of finding the right mix. I think we saw this in the US a decent amount with HIPAA, where you have administrative technical and physical security requirements.
Logikcull: Does the problem lie solely with the technologies being used to protect this data?
Sabett: It’s basically not just looking at the issue of what technology do I need to put in place. It goes beyond that.
There’s a lot of folks out there whose main focus is on the human element, which is often where the worst problems are. And in some cases like some of these breaches we’re seeing these days, there’s a human element present, even though it’s a technology issue. For example, they didn’t patch a certain system, or that lack of patching was due to a human making a decision to hold off on patching.
"There’s a lot of folks out there whose main focus is on the human element, which is often where the worst problems are."
I think that the level of protection is going to depend on the data, and then, you know, go back to the requirements: the main focus of most people these days because almost everyone is doing business internationally is GDPR, and the requirements for GDPR and from there figure out what you need to put into place.
Logikcull: What are your thoughts regarding where these existing options for data security safeguards are falling short, or is there more of a human element issue at play?
Sabett: Based on firsthand experience in terms of some of our clients and based on what I’m seeing in the industry, the human at the keyboard is still the number one mechanism by which the attackers get in. Like through spearfishing and the much more sophisticated ways that these attackers are using social engineering as a way to get past the human interface so that they get in, masquerade as that human, and then move laterally though the system and get other credentials. Usually they’re getting into the systems and they’re getting data out in minutes, and many of these companies aren’t finding out about it for months in many cases, and in some cases years.
"The human at the keyboard is still the number one mechanism by which the attackers get in."
That ability to get in is oftentimes as a result of the human clicking on the wrong thing, downloading the wrong thing, or doing the wrong thing even though it’s arguably in the interest of the company.
Logikcull: What types of situations have you seen data breach issues pop up due to human error or carelessness?
Sabett: There have been situations where employees have done things to make what they are doing for the company more efficient, to be able to do something faster, to have better access to things.
If there’s any number of possible scenarios, none of which are the person trying to be bad or trying to do something nefarious, it’s simply I’m trying to get my job done better, quicker faster whatever for the company, but in doing so they do the company in peril. And so, again, all of this comes back to the human element of clicking on the wrong thing, putting the wrong stuff in the wrong place, putting it out on the internet where it’s truly available.
Logikcull: What can companies do to cut down on the likelihood of breaches occurring due to human error?
Sabett: Now there is where I maybe deviate a little bit from other folks.
There are a lot of folks out there who say all you’ve got to do is training, just do better training and train your employees better and you cut down on all of it. Well, it only helps to some percentage.
"There are a lot of folks out there who say all you’ve got to do is training... Well, it only helps to some percentage."
We’ve seen very complex stuff. I work closely with federal law enforcement on cases, and some of these phishing emails are phenomenal. The reason that they’re so phenomenal is that they’re not just sitting outside the system and crafting these emails, they actually get into the system, they see the email traffic going back & forth, they know who talks to whom, and how they talk to them the style of the email. So, then they write emails where they say “Wire X amount of dollars to some bank overseas.” Because the person is looking at this thing and, again, it would be subconscious, the people wouldn’t even realize that they should be wary of it, and they go ahead and they wire the money.
All of that goes back to the human element.
This post was authored by Eric Pesale, an attorney who writes about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is the founder of Write For Law, and is a graduate of New York Law School and the University of North Carolina at Chapel Hill. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.