Data Security or Data Privacy? The Challenges of Regulating Personal Data

Data Security or Data Privacy? The Challenges of Regulating Personal Data

Data is a company’s greatest asset, but it can also be an Achilles’ heel when regulatory compliance isn’t met.

Though policies for data security are rising due to the increased prevalence of cybercrime, laws dictating how companies can control user data are less regulated. Policies surrounding data privacy have traditionally been under-prioritized, with many legal firms not understanding the distinctions between data security and data privacy. Matters are compounded further when regional variances in data policy come into play.

Defining Data

How data is handled depends on how it is defined—law denotes a distinction between what is considered “sensitive” data and “personal” data.

Personal data is defined as any information that can identify an individual directly or indirectly. Sensitive information is a subset of personal data, defined as information that can only be taken and collected locally if mandated by law. Personal data is more tightly regulated and the focus of most privacy legislature.

Privacy Regulations

Keeping compliant with personal data privacy regulations becomes a significant challenge when international business enters the picture. Legal requirements protect personal data from being collected, used, processed, shared, or transferred in specific global and regional jurisdictions.

Data Security or Data Privacy? The Challenges of Regulating Personal Data

“…If you run legal operations of a company in the U.S., it does not mean you have the right to access data in a foreign jurisdiction.” Said Sheila Fitzpatrick, data privacy expert working with the US government and council of the European Union.

The problem stems from the complexity of data management in each region—local jurisdictions have their own laws that must be adhered to, no matter where the business is conducted. According to Fitzpatrick, transparency is key:

“You need to collect data that you absolutely have to have to run the business … you need to understand what you are using that data for. You need to be very clear about why you are collecting that data and what you plan to do with that data. There is no implied consent.”

Data privacy is subject to several other unique regulations too, chief among them the “Right to be Forgotten” mandate. Part of this legislation denotes how companies have an eventual legal obligation to delete user data unless it has a legal hold protecting it.

Although data security is well-established, data privacy is still undervalued in the legal world. The increasing globalization of e-discovery and the legal world will require more regulations concerning cross-border e-discovery, data ownership, and how to ensure both information security and data privacy for all users.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter10 Legal eBook CTA

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Although cybersecurity has taken a central role for healthcare facilities and legal firms, cybercrime doesn’t discriminate based on industry.

Universities and academic facilities contain sensitive data just as vulnerable to outside intrusion as industries that heavily prioritize security. Student healthcare data, financial information, and other personal details are all at risk in unsecured academic networks. Over the past several years, multiple universities have reported data breaches that had significant impacts to their student body and reputation.

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

The University of Maryland suffered a breach in 2014 that resulted in over 300,000 compromised records, including university IDs and social security numbers. That same year, a breach at Butler University revealed the social security numbers, driver’s license information, and bank account data of over 200,000 individuals.

The financial cost of these breaches is high, but the damage isn’t limited to leaked information. Much as other victims of high-profile breaches (including Sony and Target) have recently learned, the bad PR from a data breach can be catastrophic to an institution.

Threat Prevention

As positive PR is an absolute necessity for academic organizations, a cybersecurity prevention and damage control strategy is essential.

Initial measures for beginning this plan should include:

1. Internal Threat Assessment

With over 50 percent of cyber attacks in 2014 from insiders, institutions must know of internal threats and have measures for threat assessments. This involves creating dedicated teams with representatives from each department who can oversee internal data security in their own divisions.

2. Enhance Security Infrastructure

Academic institutions must upgrade their IT security to discourage hackers. Sensitive information should be protected with authentication credentials, firewalls, and by limiting access to only essential personnel. Better system-wide controls help prevent the unregulated flow of information that cyber breaches rely on.

3. Breach Testing

Many institutions these days test the strength of their security with the help of white hat hackers. These vendors can review the strength of your cybersecurity protocols and offer guidance on where you may be vulnerable.

4. Damage Control Planning

Should a breach occur, institutions must have a plan in place to mitigate the damage. Steps will need to be taken to lock down your system and prevent small data losses from turning into out of control information breaches. This includes disclosure protocols for parties who may be affected by the data loss.

5. Getting Insured

Cyber insurance can help reduce the financial burden of leaks should a breach take place. This can be beneficial for large-scale organizations who handle millions of patient or customer records.

While these steps are a good start for academic organizations without cybersecurity protocols in place, they are only the first steps of a larger, system-wide push towards data security. The threats are here—academic institutions can’t afford to wait.

Desh Urs iBridge LLCWritten by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Protecting the Enterprise with Cybersecure IT Architecture

Protecting the Enterprise with Cybersecure IT Architecture

Digitization of data, products, and processes is the direction in which the world is moving.

Protecting the Enterprise with Cybersecure IT Architecture

Unfortunately, the digital revolution of our IT security is occurring more slowly. Digitizing information creates new challenges for legal firms that may not know of the system vulnerabilities that digital data creates.

Security Challenges

Complicated IT architecture creates system vulnerabilities for hackers to exploit, and makes malware harder to detect. With digital data becoming the new standard for information governance, security protocols must be in place to prevent unauthorized access.

A joint study by Mckinsey and the World Economic Forum in 2014 showed that 71 percent of global banking IT executives believe that attackers are quicker than banks when adapting to changes in security protocols, including modifying skill sets and identifying vulnerabilities. The report also revealed that 80 percent of respondents believed that the risk of cyber-attacks and data loss will play a large role in their businesses’ security strategy over the next several years.

Given the traditionally slow response of organizations to data breaches, companies must invest more heavily in their security programs. This includes designing processes, security platforms, and overall IT infrastructure with security as a priority.

Creating Secure Architecture

A secure IT framework doesn’t rely on individual security protocols. The best security approaches incorporate multiple layers of defense throughout its implementation:

  • Threat analysis: Potential threats must be segregated based on the value at risk, letting businesses give the most valuable data the highest levels of security.
  • Multi-level restriction: Access and security must be increasingly restricted with each security layer to ensure that the inner layers are tightly regulated and controlled by employees.
  • Service integration: Security must be integrated with service architecture. This allows communication and data flow to be better monitored across the enterprise, as various service capabilities can also function as security checkpoints that provide additional levels of data protection.
  • Communication hub: Routing communication through a single application service hub provides a clear view of information flow. Aggregating data into a single point of contact allows broad assessments of suspicious data patterns and provides a secure approach to communication between applications.
  • Prioritize simplicity: With the growing complexity of data security infrastructure, companies must build their security network to function optimally with transparent and simplified processes. Reducing the number of applications that handle messaging and communication improves efficiency and makes it less likely that suspicious activities will go unnoticed.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Cybersecurity and safeguarding Protected Health Information (PHI) is a hot topic in the digital world. However, while awareness and new legislation are improving the current state of digital information security, less attention is given to security protocols for hardware and physical data storage.

Hard Drive Theft

Centene, a prominent Medicare and Medicaid insurance provider, recently announced the loss of six hard drives containing private information on nearly 950,000 individuals. The affected data loss includes names, addresses, social security numbers, and membership IDs. A statement offered by Centene on Jan. 26th claimed that the hard drive loss “resulted from an employee not following established procedures on storing IT hardware,” noting that the missing drives were a small part of their total 26,000 unit IT inventory.

Is Encryption Necessary?

Centene’s data loss was a function of lack of encryption protocols and poor inventory management.

Unfortunately, the answer to data security isn’t as simple as “encrypt everything with PHI.” Unnecessary encryption can be costly and may reduce efficiency due to the extra steps needed to authenticate users. Under the HIPAA Security Rule, encryption of PHI is merely “addressable.” This means that organizations that thoroughly document alternative security measures need not encrypt all instances of PHI.Centene Corporation

When encryption isn’t feasible, other security protocols must be used. Inventory governance is essential for protecting hardware containing PHI. However, the challenges of keeping a real-time IT inventory make the process easier said than done.

“An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn’t scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information,” said Tom Walsh, founder of security consulting firm tw-Security.

This presents a challenge to holders of PHI: how can the costs of encryption be balanced with inventory management for better overall security? According to Walsh, risk analyses coupled with precise inventory tracking will help organizations “channel limited security resources where they are needed most.”

Finding a Middle Ground

The question of hardware and PHI security is as complex as the challenges associated with cybersecurity. It’s clear that both inventory governance and correctly-applied security protocols are necessary to keep PHI safe. The CEO of security consulting firm Redspin noted that: “…Healthcare organizations must be disciplined about tracking PHI throughout the organization and ensuring the appropriate safeguards are in place everywhere. Encryption adds cost and complexity, but a PHI breach can be far more costly.”

Given recent PHI breaches, we’re willing to bet that insurers like Centene would agree.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Legal Losses: 4 Steps to Better Internal Security

Legal Losses: 4 Steps to Better Internal Security

When people think of “cybercrime,” they imagine a hacker finding an exploit in an unsecured system and taking advantage for their own gain. While this is a growing concern in the legal world, it isn’t the only security threat that firms must consider. A 2015 Data Breach Investigation Report by Verizon found that 20.6 percent of all data breaches are caused by individuals inside the industry, whether accidentally or intentionally. These breaches can be notoriously hard to detect, given that internal data leaks are less obvious with immediate consequences less than hacker access. IT security has traditionally been challenging for legal firms—clear corporate policies must be implemented to protect privileged information from both hackers and illicit employee actions.

1. Increase Awareness

Legal Losses: 4 Steps to Better Internal Security

A 2015 Data Breach Investigation Report by Verizon found that 20.6 percent of all data breaches are caused by individuals inside the industry, whether accidentally or intentionally.

The first step in decreasing incidence of cybercrime both within an organization and without involves increasing awareness. Companies must create a corporate culture of transparency and honesty with their employees, and train them in data handling practices. Employees should know what to do if they detect a security issue, with clear policies in place for the assessment and removal of emerging threats.

2. Detection/Data Loss Software

Implementing software to monitor data transfer is another method of preventing data loss. Legal firms can optimize their IT security with programs that track detection points of data transfer to highlight potential vulnerabilities. If a breach occurs, these programs offer hard evidence and digital trails for investigators to follow.

3. Implement Warnings

A simple way to increase data security is to let employees know that their actions are being tracked. Employees are much less likely to engage in illicit or illegal behaviors when they know that their computers are subject to searching. This deterrent can be powerful, particularly when employees understand the weaknesses of their business’s IT infrastructure.

4. Monitor Communication

Proper tracking of employee behaviors is necessary to prevent internal losses of information. Forensic analysis of employee communication and behaviors provides visibility into the exchange of information across digital platforms and offers insight into suspicious behaviors in a breach. Investigators can monitor key variables when data is compromised to identify trends and establish the source of information loss.

IT security in the legal world is a never-ending battle. Legal firms must realize that they are vulnerable internally and externally, and take the precautions to keep client data safe.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC

Cybercrisis Management: Effectively Recovering from Data Breach Fallout

Cybercrisis Management: Effectively Recovering from Data Breach Fallout

Crisis management and planning for the unexpected is public relations 101, but navigating your public image through a disaster in the digital age can be difficult. The modern corporate landscape is built on shared data, remote connectivity, and the promise of cyber security, which makes implementing an effective cybercrisis management strategy essential when something goes wrong.

Surviving the fallout from a data breach disaster can make or break an organization in the eyes of both shareholders and the general public. Finding yourself in a crisis whirlwind due to bad planning and poor implementation can be devastating.

Cybercrisis Management: Effectively Recovering from Data Breach Fallout

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Timing and Communication

The most detrimental misstep organizations take immediately after a data breach or similar cybercrisis is delaying and often miscommunicating important information. Timely, transparent communication is vital to maintaining tight control of the message. It’s easy for the public, the media and internal personnel to jump to conclusions and create misinformed opinions about a situation when the information being shared isn’t authentic and honest. Timing is everything in the digital era, and a flawed social media message, ambiguous statement or postponed response can all add fuel to an already burning crisis fire.

Consider these six steps pre-data breach and utilize them post-breach to minimize damage during a cybercrisis:

  1. Put victims first – Empathy with those affected by a data breach must be part of all crisis management communications.
  2. Communicate sooner not later – Remember, timing is everything.
  3. Prepare for a moving target – Opinions and perceptions can be easily swayed, and it’s important to adapt and progress in the face of criticism and accusation.
  4. Be transparent about not being transparent – Authenticity, even when you’re not able to provide specifics, resonates with the media and the public.
  5. Validate your strategy through opinion research – Corporate jargon and internal investigations aren’t as effective as trusted opinion research people can trust and validate.
  6. Work as a team – Above all else, everyone within the organization must be informed and on your side during implementation of a cybercrisis management plan.

Staying ahead of bad publicity and course correcting after a crisis requires commitment to transparency and a clear understanding of your audience. Preparing for the worst is the best thing you can do, and creating a crisis management team that’s ready and trained to implement a strong communication strategy when a breach occurs can be invaluable.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Cybercrime: Redefining Security in an Unsecured World

Cybercrime: Redefining Security in an Unsecured World

Online security in the digital age may be a myth.

A survey by the Aspen Institute and Intel Security found that 50 percent of security professionals once believed that their organizations were “very or extremely” vulnerable in early days of cybersecurity, yet only 27 percent believe that their organizations face the same level of risk in more recent years. Despite this increased confidence, 70 percent of respondents admitted that cybersecurity breaches are a growing threat to their industry. And security firms aren’t the only ones who need to worry—cyber-attacks have become commonplace across nearly every digital enterprise.

talk-talk-logo-_1361791a

The highly-publicized Ashley Madison leak in July brought online privacy and cybersecurity into the public domain, though cyber-attacks can strike anywhere. The web hosting service 000Webhost suffered a data breach in March that potentially exposed 13.5 million customer records, a significant loss of information and authority for a high-ranking web hosting service. Most recently, the UK-based phone and broadband provider TalkTalk was the victim of an unauthorized breach, with 4 million private customer profiles possibly exposed.

Areas of Vulnerability

The proliferation of cybercrime is made easier by inefficiencies in website system architecture. Regardless of what security policies or privacy measures are in place at the enterprise level, shoddy and inefficient website development code creates openings that savvy hackers can exploit. This problem is compounded by many web developers not rewriting website code (a costly and time-consuming process) and instead “paper over” any problems that are noticed. This habit creates multilevel vulnerabilities in the coding infrastructure hard to notice by security personnel, yet remain vulnerable to those seeking them out. The 000Webhost breach is one example of this trend, with unauthorized access gained from an exploit found in an old PHP version of the site.

These inefficiencies combined with the growing ingenuity of cyber criminals create a system where “privacy” may no longer exist. If criminals cannot exploit system vulnerabilities in the site’s structure, they employ social engineering and manipulation to gain access to the information they want. At its core, security problems revolve around people—from the coders who develop site structure to the employees who manage the phones, the only chance businesses have at gaining comprehensive security is with efficiency and rigorous training for all employees across every part of their infrastructure.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Data Theft and the Business of Cybercrime

Data Theft and the Business of Cybercrime

Cybercrime is a business—and business is booming. Illegal online activity has flourished with the advancement of technology, increasing 10,000-fold over the past twelve years.

But what do criminals do with all this data, and how is it monetized to make it worth their while?

The Dark Side of the Web

The “Dark Web” is source of much criminal activity on the Internet. This network can only be accessed with specialized software, preventing law enforcement and regular user from accessing it. These darknets (such as Tor) may also use additional forms of security to hide their illicit material with encryption or proxy servers that shield user identities.

The secrecy and relative privacy of the Dark Web make it ideal for criminal activity. Think of the Dark Web as a virtual marketplace that only members can access. Cybercriminals can post stolen account information openly to be purchased by the highest bidder. This practice is illegal—and very profitable.

Source: wikipedia.org

Source: wikipedia.org

User data is a commodity on the black market, with each fragment of information possessing an “asking price” to be negotiated.

Research compiled by Dell SecureWorks summarized the price of this data:

  • New Identities, including address, name, and a fake social security card scan costs $250
  • Counterfeit non-U.S. passports costs between $200-$500
  • S. credit cards with tracking data costs $12 each

The Business of Theft

The business of stolen data management is growing—estimates by the Center for Strategic and International Studies placed the impact of cybercrime at 15 to 20 percent of the annual Internet economy. Dell found that many providers of stolen data even had guarantees of “excellent customer service” with promises to replace stolen credit cards cancelled before the buyer could utilize them.

This relates to the “shelf life” of data, and factors greatly into its overall value. Some fragments of stolen data lose value over time as the likelihood of their discovery increases, while other information (like healthcare data used for fraudulent billing) typically remains unnoticed until the damage is done.

Protecting Yourself

While cybercriminals are becoming increasingly adept in their illicit practices, steps can still be taken to prevent data loss. Part of this involves recognizing where data leaks may occur in your organization. It’s not financially viable for many providers to increase security on all fronts, making it essential that businesses identify the weak points in their infrastructure and strategically upgrade their security accordingly.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Legal Firms Turning the Tide on Cybercrime

Legal Firms Turning the Tide on Cybercrime

With cybercrime-related problems showing no signs of stopping, whether legal firms will be affected moves from if into the realm of when. Nobody expects that he or she will become a victim of cybercrime, creating a culture of damage-control where firms focus on mitigating the damage of breaches rather than initial prevention.

Legal Firms at Risk 

The senior director of information security at LexisNexis, Jeffrey Norris, highlighted the two biggest reasons that law firms are in danger of breaches:

“The criminal element has performed direct attacks on organizations at a growing pace going back to at least 2012 […] it’s now becoming understood that it’s easier to go after a third party to gain access to these organizations,” he said. “…The spotlight has swung towards law firms due to security concerns of how they handle the data they’re entrusted with.”

Legal Firms Turning the Tide on Cybercrime

Image courtesy of Pat138241 at FreeDigitalPhotos.net

Aside from the ease of targeting third-party legal firms, Norris spoke to the variety of data held by these firms, which often includes personal information, corporate merger details, intellectual property claims, and privileged legal data. “It becomes a realization they may have a treasure trove of data outside of the primary organization that’s being targeted,” said Norris.

Steps toward Security 

With nearly 80 percent of the biggest legal firms facing hacking-related problems since 2011, the need for increased regulation of third-party vendors is clear. Fortunately, the concerns voiced by IT professionals and network administrators on the risks of online data usage have not fallen on deaf ears. New York State Department of Financial Services (NYFDS) Superintendent Benjamin Lawsky recently acknowledged the vulnerabilities faced by third-party legal firms and his commitment to stricter cybersecurity protocols

However, Lawsky noted that “[while] banking organizations appear to be working to address the cybersecurity risks […] progress varies depending on the size and type of institution.”

Increasing the transparency of cybercrime-related issues is a tall order for an industry that relies on client confidence and security of information, but five Am Law 100 and Magic Circle firms are taking initial steps toward this goal. The alliance between these firms promises increased sharing of cyber-security threat information and opens a dialogue between industry partners that face the same challenges.

While there is still plenty of work to do, this is an encouraging step in the right direction for legal firms who acknowledge that cybercrime is a threat they can no longer ignore.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw-Firms-and-Cyber-Attacks-eBook-CTA-1024x444

The Public Desensitization to Cybercrime

The Public Desensitization to Cybercrime

The frequency of cybercrime in a tech-world filled with vulnerabilities has created a trend of people viewing data breaches as commonplace and necessary evils for the privilege of technology use.

Turning a Blind Eye

A comparison of two recent breaches highlights this desensitization: the Office of Personnel Management leak on July 9th that revealed sensitive data of nearly 22 million individuals, and the more recent July 22nd breach of the U.S. Census Bureau’s information network. This second leak was reported to have released privileged information on employee names, email addresses and social security numbers, though on a much scale smaller than the OPM’s data loss.

(PRNewsFoto/U.S. Census Bureau)

(PRNewsFoto/U.S. Census Bureau)

The difference between the two is that the public took less notice of the smaller-scale data breach. With high-profile and large-scale breaches at an alarming rate, governmental organizations and the public are less likely to prioritize small-scale trickling of confidential data.

“[M]y real concern is that [the OPM breaches] desensitized the public and government officials to smaller but still damaging breaches like the attack on the Census Bureau,” said Monzy Merza, chief security evangelist of the software intelligence firm Splunk. “…It is clear that we must ensure that our government has the right budget, tools and personnel to continuously defend our networks from all adversaries.”

Preventative Action

The danger of desensitization to cybercrime is real, as most people don’t consider it a priority until they become victims. The Census Bureau commented on their recent data loss with an acknowledgement that unauthorized access occurred, but claimed that any information leaked was “non-confidential.”

“Security and data stewardship are integral to the Census Bureau mission,” the Census Bureau statement said. “We will remain vigilant in continuing to take every necessary precaution to protect all information.”

Unfortunately, 11th hour measures to improve cybersecurity come at a cost. Businesses that prioritize security only after their privileged information has been compromised indicate a willingness to ignore the risk until there are tangible consequences. Preventative measures are critical for good cybersecurity practices, yet the cost of implementing these measures leave organizations ill-equipped to handle cybercrime when it arrives.

To prevent this trend from becoming part of the norm, organizations must take preventative action to safeguard their data and infrastructure before problems occur. While costs are associated with these measures, they are negligible compared to the costs of a lawsuit from individuals affected by poor data security.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground Economy of Data Breaches