1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Survey Says…Cybersecurity Remains A Critical Challenge For Business

On March 14, 2018, IBM Security announced the results of a new global study on organizational cybersecurity readiness and resiliency entitled “The 2018 Cyber Resilient Organization.” The new survey includes insights from more than 2,800 security and IT professionals, and makes clear that cybersecurity readiness and resilience remain a critical challenge for businesses worldwide:

  • 77% of respondents admit they do not have a formal cybersecurity incident response plan applied consistently across their organization;
  • 77% of respondents report having difficulty retaining and hiring quality IT security professionals;
  • 50% of respondents believe their incident response plan is either informal, ad hoc, or non-existent;
  • 60% of respondents consider lack of investment in artificial intelligence and machine learning as the biggest barrier to achieving cyber resilience;
  • 31% of respondents believe they have an adequate cybersecurity budget in place;
  • 29% of respondents report having ideal staffing to achieve cyber resilience; and
  • 23% of respondents say they do not currently have a CISO or security leader.

Cyber resiliency and preparedness remain a challenge for businesses worldwide.

Despite these results, 72% of respondents report feeling more cyber resilient than they were last year. Is this confidence misplaced?

The new results largely track the results of PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, which found that of the more than 9,500 senior executives surveyed in 122 countries:

  • 67% have an internet of things (IoT) security strategy in place or are currently implementing one;
  • 36% have uniform cybersecurity standards and policies for IoT devices and systems;
  • 34% have new data collection, retention and destruction policies; and
  • 34% assess device and system interconnectivity and vulnerability across the business ecosystem.

These low results for cyber preparedness and resiliency present a significant risk for business. In its Global Risk Report 2017, the World Economic Forum found that “large-scale cyber-attacks or malware causing large economic damages” or “widspread loss of trust in the internet” remain the primary business risks in North America.

Organizations must be better prepared for cybersecurity incidents, which can result from unintentional events or deliberate attacks by insiders or third parties, such as cyber criminals, competitors, nation-states, and “hacktivists.” A prior IBM Study on the cost of data breaches found, using a sample of 419 companies in 13 countries and regions, that 47% of data breach incidents in 2016 involved a malicious or criminal attack, 25% were due to negligent employees or contractors (i.e., a human factor), and 28% involved system glitches, including IT and business process failures.  Organizations that fall victim to successful cyber attacks or experience cyber incidents may incur substantial costs and suffer significant consequences, including remediation costs, increased cybersecurity protection costs, lost revenue, litigation and legal risk, reputational damage, increased insurance premiums, and damage to the organization’s competitiveness and shareholder value.

Making things more complicated, there are number of new regulatory regimes requiring covered enterprises to develop robust cybersecurity policies, safeguards, and incident response plans, including the New York Department of Financial Service Cybersecurity Rules and the US Security and Exchange Commission’s recent guidance on cybersecurity risk and incident disclosures.

If you or your enterprise are looking to assess your current cybersecurity practices, risk profile, or incident response preparedness, including legal compliance, or create new systems, policies, and processes, the Dentons cybersecurity team is prepared to help.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

 

Survey Says…Cybersecurity Remains A Critical Challenge For Business

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

HHS Issues Quick Response Cyber Attack Checklist

Last month, after the WannaCry ransomware attack infected 230,000 computers in 150 countries, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a “Quick-Response Checklist” for HIPPA covered entities and business associates to follow when responding to a ransomware attack or other “cyber-related security incident,” as that phrase is defined under the HIPAA Security Rule. 45 C.F.R. 164.304.

Checklist Recommendations

The checklist provides four recommendations:

  1. Execute the response and mitigation procedures and contingency plans. Entities should immediately fix any technical or other problems to stop the incident and take steps to mitigate any impermissible disclosure of protected health information (either done by the entity’s own information technology staff, or by an outside entity brought in to help).
  2. Report the crime to other law enforcement agencies. This includes state or local law enforcement, the FBI, or the Secret Service. The OCR makes clear that any such report should not include protected health information (unless otherwise permitted by the HIPPA Privacy Rule).
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). A cyber threat indicator is defined under federal law as information that is necessary to identify malicious cyber activity. The US Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs are all identified as acceptable information-sharing organizations under the new checklist. The OCR, however, makes clear that it does not receive reports from its federal or HHS partners.
  4. Report the breach to OCR as soon as possible, “but no later than 60 days after the discovery of a breach affecting 500 or more individuals.” Entities should notify “affected individuals and the media unless a law enforcement official has requested a delay in the reporting.” The OCR also presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery. And the OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.

In the end, the OCR states that it considers “all mitigation efforts taken by the entity during any particular breach investigation,” including the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations, as outlined in the checklist.

Takeaways

The OCR’s checklist makes clear that preparing for, and responding quickly to any potential breach should be a priority for HIPPA covered entities and their business associates. This includes preparing or updating enterprise wide incident response plans, training leadership, implementing effective governance programs, and having the ability to rapidly mobilize a response to malicious activity. Dentons’ global Privacy and Cybersecurity Group, in conjunction with Dentons’ leading healthcare practice, has extensive experience helping entities prepare and execute such plans and dealing with the rapidly changing legal and regulatory landscape that emerges in the aftermath of a security incident.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

HHS Issues Quick Response Cyber Attack Checklist

US Government Accountability Office Releases New Report On The Internet of Things (IoT)

On May 15, 2017, the US Government Accountability Office (GAO) released a new report entitled “Internet of Things: Status and implications of an increasingly connected world.” In the report, the GAO provides an introduction to the Internet of Things (IoT), describes what is known about current and emerging IoT technologies, and examines the implications of their use. The report was prepared by reviewing key reports and scientific literature describing current and developing IoT technologies and their uses, concentrating on consumers, industry, and the public sector, and interviewing agency officials from the Federal Trade Commission (FTC) and Federal Communications Commission (FCC). The GAO also convened a number of expert meetings during the drafting process, bringing together experts from various disciplines, including computer science, security, privacy, law, economics, physics, and product development.

Technological Advancements Leading To IoT Surge

The GAO identified four technological advancements that have contributed to the increase in IoT devices:

  • Miniaturized, inexpensive electronics. According to the GAO, the cost and size of electronics are decreasing, making it easier for the electronics to be embedded into objects and to be enabled as IoT devices. For example, the price of sensors has significantly declined over the past decade. One sensor called an accelerometer cost an average of $2 in 2006. The average price of the unit in 2015 was $.40.
  • Ubiquitous connectivity. The GAO notes that the expansion of networks and decreasing costs allow for easier connectivity, and for IoT devices to be used almost anywhere. The proliferation of Wi-Fi options and Bluetooth creates a more expansive space for IoT to operate.
  • Cloud computing. Cloud computing allows for increased computer processing. Because IoT devices create a large amount of data, they require large amounts of computing power to analyze the data. The increase and availability of cloud computing is helping IoT devices expand.
  • Data analytics. New advanced analytical tools can be used to examine large amounts of data to uncover hidden patterns and correlations. According to the GAO, advanced algorithms in computing systems can enable the automation of data analytics, and allow for valuable information to be collected by IoT devices.

Common Components Of IoT Devices

The GAO identifies three major components that make up nearly all IoT devices: (1) hardware, (2) network connectivity, and (3) software. The hardware used in IoT devices generally consists of embedded components, such as sensors, actuators, and processors. Sensors generally collect information about the IoT environment, such as temperature or changes in motion. Actuators perform physical actions, such as unlocking a door. And processors serve as the “brains” of the IoT device. The network component of an IoT device connects it to other devices and to networked computer systems. And the software in IoT devices perform a range of functions, from basic to complex. These three components are common across the IoT industry, and serve as the bedrock foundation for understanding the security challenges facing the IoT space.

Benefits and Uses

According to the GAO, the benefits and uses of IoT for consumers, industry and the public sector are widespread. From wearable IoT devices, such as fitness trackers, smart watches and smart glasses, to smart homes, buildings and vehicles, IoT is changing the landscape of consumer products and how people interact with their space. IoT is also impacting supply chain and agriculture industries, enhancing productivity and efficiency.

Potential Implications

With these benefits comes potential risk. The GAO report identifies five risk categories presented by the onset of new IoT technology: (1) information security; (2) privacy; (3) safety; (4) standards; and (5) economic issues.

  • Information security. The IoT brings the risks inherent in potentially unsecured information technology systems in homes, factories, and communities. IoT devices, networks, or the cloud servers where they store data can be compromised in a cyberattack.
  • Privacy. Smart devices that monitor public spaces may collect information about individuals without their knowledge or consent.
  • Safety. Researchers have demonstrated that IoT devices, such as connected automobiles and medical devices, can be hacked, potentially endangering the health and safety of their owners.
  • Standards. IoT devices and systems must be able to communicate easily. Technical standards to enable this communication will need to be developed and implemented effectively.
  • Economic issues. While impacts such as positive growth for industries that can use the IoT to reduce costs and provide better services is a beneficial outcome, economic disruption is also possible, such as the need for certain types of businesses and jobs that rely on individual interventions, including assembly line work or commercial vehicle deliveries.

As IoT technology increases, so too will the regulatory landscape governing its use. Although there is no single US federal agency that has overall regulatory responsibility for IoT, various agencies oversee or regulate aspects of the IoT, such as specific sectors, types of devices, or data. If you or your business is operating, or plans to operate in the IoT space, the Dentons’ global Privacy and Cybersecurity group can help you navigate this fast-paced, and shifting environment.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

US Government Accountability Office Releases New Report On The Internet of Things (IoT)

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers