You just opened your seventh Updates to our Terms of Services email this week and a few paragraphs in, you realize that something is off—that’s the second misspelled word in as many paragraphs.
DON’T CLICK THAT LINK!
Even those helpful privacy updates could put you at risk.
Bad grammar and misspelled words in emails aren’t always the signs of lazy writers, they could be something much more dangerous—they’re red flags that you might be the target of a common cyber attack known as phishing.
In an interview with Nick Holland published in Data Breach Today, RSA’s Director of Identity, Angel Grant, warns, "We're already starting to see an uptick of phishing emails targeting fake GDPR alerts, [especially] privacy notification acceptance emails, because everyone's getting tons of those right now."
Think you’re too smart to fall for that? Recent research suggests that when it comes to phishing, people have a tendency to underestimate their vulnerability and some may even be more susceptible than others.
GDPR has everyone talking about cybersecurity, so there’s a lot of information to sift through out there. Senior Security Consultant, Trish Ping, of Indianapolis based, Pondurance, agreed to answer a few of our questions to help Indiana’s membership associations focus on what’s important when it comes to protecting your member’s data and what to do if despite your best efforts, a breach occurs.
ISAE: Trish, there’s so much information out there. Most of us feel out of our depth when we read it. What would you say is the single most important thing an association’s management team can do to protect its member's data today?
TP: I’d have to say, performing security awareness training on a regular basis to educate your staff. Specifically, training that includes simulated phishing attacks, best practices for passwords, and malware protection installs and alerts so the staff can identify suspicious events and know when something needs to be escalated.
You also want to make sure that patches are installed within a few days of release. This is one of the most common ways organizations are compromised. Patches should be installed on all devices, including cell phones and laptops as soon as they’re available. IT departments should be doing the same with patches for firewalls and servers.
ISAE: So how does an organization usually discover a breach?
TP: Most breaches are discovered by third parties, like partners, vendors, or even law enforcement. In most cases, the organizations have had a known vulnerability within their environment for over 3 months before being discovered.
ISAE: Yikes. That doesn’t sound good. What should an association do if they discover or are notified by a third party of a breach?
TP: Well, every organization needs a security incident response plan before that happens. An incident response plan outlines actions, roles, and responsibilities for suspicious events. Your plan should include steps to quarantine the infected device without compromising the evidence, contact a forensic company, contact law enforcement, and your cyber insurance company. The most important thing to remember is that the data should be preserved to allow for forensic investigation. Also, make sure you’re performing the appropriate backups to restore the data and devices to a state prior to being compromised.
NOTE: Indiana’s Security Breach Notification Statute requires that organizations that experience a security breach notify the State’s Attorney General using this form and that all those whose data has been compromised be notified “without unreasonable delay.” If the breach impacts 1000 members or more, you’ll also need to notify all three national consumer credit reporting agencies (Experian, Transunion, Equifax)
The State of Indiana defines a breach as “an unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of personal information.”
What personal information? An Individuals social security number or any combination of a person’s name and any of the following: driver’s license number, account number, state identification card number, credit card number, financial account number, or debit card number in combination with any required security code.
ISAE: For organizations that don’t already have a plan. Are there steps you would recommend or somewhere you could point us to start that process?
TP: The NIST (National Institute of Standards and Technology) has a guide that does a great job of outlining a security incident response plan. There are even templates you can use. I would start there, but some may want to reach out to a firm like ours to evaluate your vulnerability first.
You can find the guide here. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf .
ISAE: Thanks Trish, last question. Many of our associations have international members. What sort of things should they be doing to make sure they’re GDPR compliant?
TP: Ensure the data is in encrypted and only the required staff members have access to the data (even if just viewing the data). Implementation of minimum necessary access is also a key component. Data should only be stored or maintained for as long as required to perform the business function and once it is deleted the data should be permanently deleted, including backups. Those are a few things, but it would be best to have an assessment of the GDPR controls that are implemented to ensure the organization meets the GDPR requirements.
One last note. Any security breach should trigger an investigation, either by your internal IT team or cybersecurity consultants, that could take weeks or even months. Don’t wait until all the information is in before informing your members. Make sure that your plan includes who, how, and when you’ll notify members, as well as how you’ll handle any questions from the media.
It’s okay to not have all of the answers right out of the gate. It’s never okay to be less than transparent about that with the members who put their trust in you.