Ron Arden, Executive Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) at the Hilton DoubleTree Hotel in Rochester, NY on December 7, 2016. Ron delivered a presentation on “Defending Your Intellectual Property Against Cyber and Insider Threats ” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and cyber attacks.
With the changing regulatory climate and the constant news on data breaches and cybersecurity incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group. Ron spoke about the new NY State Department of Financial Services (DFS) cybersecurity regulations that require all organizations registered as banks, financial services companies and insurance companies in the state of NY to meet new cybersecurity rules. A major one is to encrypt all non-public data, which will require major changes in policy and technology.
A number of attendees came up after the presentation and asked about some of the research Ron presented from the recent Ponemon Institute study “Risky Business: How Company Insiders Put High Value Information at Risk“. One gentleman from a bank commented that finance departments are less likely to expose sensitive information than sales or HR, which may be related to finance professionals having agreed to certain standards of data sharing as part of their professional certifications or degrees. While that is certainly a possibility, there is still the risk of carelessness, which was cited as the number one cause of data breaches.
Another person asked about protecting information in the supply chain, since third party risk assessment is becoming a bigger issue with regulators. The HIPAA laws and others make a company responsible for sensitive information shared throughout the supply chain, so a company needs to worry about the security of its suppliers and partners.
As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules. During the keynote presentation by Paul Greene, an attorney from Harter Secrest & Emery LLP, there was discussion on how best to meet what can be either vague or overlapping cybersecurity regulations. Paul talked about recent Federal Trade Commission (FTC) rulings that stipulate that a non-compliant company must have an external cybersecurity audit every 2 years, for the next 20 years, to prove they meet strict cybersecurity guidelines.
There was also discussion about security versus compliance, which is a constant battle. An auditor can show a company meets HIPAA, SOX, GLB, PCI and many other regulations, but that doesn’t mean they are secure. Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST as ways to ensure security that goes beyond compliance.
Another discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal. There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools. Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm. This will help pinpoint insider threats as well as suspicious activity from compromised systems.
The event showed the growing need for security solutions that focus on protecting and controlling sensitive data as companies try to mitigate the risk of both cyber and insider threats.