Solving Cyber Due Diligence

and Other 21st Century Data Threats 


David Wallace

Who goes first? Buyer or seller?

Dealmaking in the 21st century presents uncomfortable questions over when, and whether, data security and third-party validation of data protection should be shared. Which side is comfortable enough to exchange its most sensitive, and risky, details of business functions and threats?

And when the information is shared, can you verify the answers? 

Can you test and trust your acquisition targets, partners and their people with network access, data and intellectual property? The legal, financial and regulatory impacts of customer data leaks and network breaches at Yahoo had a bottom-line impact on its acquisition by Verizon Communications.

Internal and external threats—not just from hackers but also from contractors, former employees and other partners—need to be actively and regularly screened for their use of, and access to, critical data. Trust is key, and so is verification, says Thomas Brown, global leader of the Cyber Security & Investigations practice at Berkeley Research Group. 

“Disclosing prior hacks and what you have done as a response can be controversial. There is no one-and-done approach,” he says. “Systems are constantly in-motion: adding and removing devices, data, maybe a joint venture arrangement where you are securely sharing data.”

Identification and access management is now a key part of the enterprise security function. Getting comfortable with this fast-moving aspect of business is an important step, Brown adds. There are no universal rules, no single decision in managing data or network use. Standards are changing.

“It’s almost like a brownfield environmental impact in real estate development—so it’s not entirely a new problem,” Brown says. “There are technical, policy and legal implications and you need to involve all those teams and their know-how. But this is an evolving legal and regulatory environment with different interpretations.”

Balancing the demands of multiple stakeholders while retaining the trust of clients, partners or investors is just one challenge for top executives. Due diligence may require knowing how your actions compare with those of industry leaders. Another qualification is having confidence in your decisions as part of a consistent, defensible plan.

One of the most consequential new rules is set to take effect in 2018. The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe. It will extend to any organization with data from EU citizens. 

There are no universal rules, no single decision in managing data or network use.

Depending on how stringently the GDPR is enforced, long-time predictions of trusted, third-party verification of data security may prove accurate, says Dwayne Melancon, director of product for iOvation Inc., a Portland, Oregon, company that advises companies on cloud-based authentication and fraud prevention. In time, GDPR standards could be adopted in other regions. 

“If you couple this with some guidelines or mandates that affect publicly traded companies, that approach would gain a much stronger foothold,” he adds. “This brings with it the question of enforcement and jurisdiction. If there are conflicts, generally the stronger policy wins, but that assumes collaboration and coordination among the enforcement bodies. We’re a long way from that happening.”

The May 2017 WannaCry ransom threat, and the variations that will likely follow, represent one milestone for companies. Some admit to being hit—FedEx, Telefonica and the UK National Health Service—and learn from the experience to prepare for the next incident.

It is important to devise a process for how often and with whom to discuss hacks, breaches and security standards, says Peter Coddington, a Baltimore mobile data expert who developed a training standard for Credentialed Mobile Device Security Professionals. No company can go it alone. And as Target Corp. learned, even the least-secure links, such as connected cash registers and thermostats, can be the data source or entry point for determined hackers.

 “In some ways, the requirements for corporations to carry cyber-insurance are forcing a disclosure of methodology of security and creating some benchmarks,” Coddington says. “Scoring the technology infrastructure and data-handling practices and security makes this a cost of doing business rather than an expense that can be skipped in favor of lower costs and a riskier operating profile.”


Know Your Threats

As business transactions occur remotely via phones and tablets, the value of at-risk data rises. Convenience to employees and customers must be balanced against the ability to secure the data—not just communications about the data. JP Morgan Chase, for example, announced plans to enable an account opening process that verifies client data without a customer setting foot in a bank branch. 

Even inside an organization, disagreements arise over who retains ownership of work such as code, files, work-in-progress or future plans. Limit vulnerability by tracking activity and who touches particular files, accesses servers or tries to copy data. 

A 2016 report by cloud security provider Bitglass reported that cloud-based data and information-as-a-service providers created concerns for top executives about securing their data, ensuring client privacy or confidentiality. The report found that 57% of over 3,000 respondents cited cloud data leakage as their top concern; 36% said it was enterprise compliance.

Establishing the context behind attacks on your company or data is key, Brown says. Rather than just logging events, companies need to turn that information into knowledge that enables faster decisions.

And about 65% of IT leaders surveyed by the Ponemon Institute found that threat intelligence could have prevented or minimized an attack. Yet the same percentage of responders said they were only somewhat or not satisfied with their current approaches because the information is not timely. 


Know Your Networks

“We do live in a ‘technocracy.’ The technology that you design and the companies you work for will dictate the world and the rules by which we live,” says Prof. Latanya Sweeney, director of the Data Privacy Lab at Harvard University and a former chief technologist for the US Federal Trade Commission.

Her comments outlined how laws, policies and rules of a different era—for instance, the age of the wired desktop phone—are still in force as today’s wiretap regulations and legal standards. Further, laws are inconsistently applied: In 2016, she was able to re-identify hospital patients using public data sets because only three of the 33 states that share and sell their patient discharge data follow the HIPAA regulations governing hospitals.

Ransomware targets in 2016 ranged from hospitals to the San Francisco transit agency, Bay Area Rapid Transit (BART),  and a Massachusetts town’s police department. 

Phishing emails that deliver ransomware links are getting more advanced, denying access to entire systems when activated. Timely full-system backups and multiple-site server redundancy can reduce the threat, Brown says, but companies also need to see if the software is exporting and stealing data or merely blocking access, as WannaCry did in locking up machines.

“It’s a low-level, low-tech threat and a common problem, but it can be devastating,” he notes, focusing on a nontechnical part of the decision to pay.

Your CISO should have local FBI contacts. It’s shortsighted to assume our interests are not aligned when it comes to this.

Agreeing to pay ransom only rewards hackers, financing their next attack or making you vulnerable to another attack for more payments, Brown says. So there is an existential conflict in cybersecurity: What is best for your situation versus best for the community good?

Many intrusions are not reported to the Federal Bureau of Investigation. Victims pay or patch the leak and choose to get back to business, then-FBI Director James Comey told a March 2017 conference at Boston College aimed at recruiting cyber-savvy students to law enforcement careers.

“A company has to make a judgment about the risk/benefit [equation] to sharing data,” Comey added. “Your CISO should have local FBI contacts. It’s shortsighted to assume our interests are not aligned when it comes to this.”

David Wallace advises organizations on content strategy and communications. He has written for Wired, Reuters, The New York Times and Knowledge@Wharton and lives near Boston.