The Society of Corporate Compliance & Ethics annual conference always provides a torrent of useful ideas and advice. I spent the first day attending several sessions on cybersecurity risks and privacy compliance. Without further delay, here is a collection of random observations I jotted down, in no particular order…
Remember that one weak spot in your cybersecurity defenses might be LinkedIn. If your network engineers have profiles there listing their technical skills, those skills might offer clues to hackers about how your IT security is structured. Ditto if the HR department is posting job descriptions with lengthy technical requirements. Try to educate both groups on “hint risk” and perhaps even draft a policy about how specific their public posts can be.
How long should the ideal password be? At least 15 characters. Apparently that’s because many older IT programs store passwords in two seven-character pieces. (Even if your password is only 8 characters, it would be stored as one part with seven characters, the second part with one character.) Pushing your password to 15 characters forces password cracking tools to break it into three chunks, which is much harder for them to do. (Separately, I found an interesting article that explains why a longer, simpler password is better than a shorter, complex one.)
The worst cyber attacks are classified as advanced, persistent threats. These attackers could be foreign governments, crime rings, or anyone else looking to run the long con on your data. Good luck fighting them (you’ll need all the luck you can get), but remember this starting point: advanced, persistent threats always want to stay and observe your organization. Getting discovered means they get booted off your IT system, and then they have to build a new attack plan from scratch.
Another password tip: if your password program allows you to include a space in your password, use one. Many online cracking tools (the cheap freebies that casual thieves might use) don’t have the capacity to search for spaces in passwords.
Once you do discover a machine on your network that’s infected, don’t turn it off—disconnect it from the network, then leave it alone. Only a cybersecurity professional should decide when it’s time to turn off an infected machine.
Insurance and Privacy
How important is cyber-breach insurance today? So important that if you don’t have insurance for a breach and one happens, your D&O insurance policy might not cover the inevitable shareholder lawsuits that follow. That is, cyber insurance is so important, not having it might be construed as negligent corporate governance, leaving your directors and officers exposed to other litigation.
Along similar lines, consider how your cybersecurity insurance might intersect with property & casualty policies your company has. For example, hackers might penetrate software you have to control a manufacturing plant, and force a turbine to accelerate so much it breaks down. Do you file a cyber claim, a property claim, or both? Don’t wait until after the turbine attack to answer those questions.
More broadly, when building a privacy program, tread carefully with overseas jurisdictions. A poorly designed privacy program might violate labor laws in Europe, or generate enmity with works councils and labor unions. That will give you more headaches in more areas. (I heard one story of a privacy program that irked a works council so much, it refused to negotiate a whistleblower hotline program.)
Expect the European Union’s General Data Protection Rule, coming into force by 2018, to bring many challenges—including a scarcity of skilled consultants able to help you. (Unskilled consultants unable to help you will remain abundant.) One compliance officer at a mid-sized manufacturing firm said she expects to pay $500,000 to build out an EU-compliant privacy program, which is more than her whole training budget.
The basic premise of the GDPR: it will be more about building preventative compliance, rather than launching reactive investigations after a breach. That’s your starting point. Now go from there.
Those are just a few kernels of advice from two sessions yesterday. The SCCE continues to prove itself as the biggest, most diverse source of compliance wisdom in town.