By Dave DeWitte
Editor’s note: This is the last part in a CBJ series on cybercrime and data security, The Death of Privacy. Read the second installment at bit.ly/privacydeath2.
Forces are converging in the data privacy space that will yield a more protected and regulated business environment – all of which will add to the cost of doing business.
As the number and severity of data breaches rise, businesses will invest more in cyber insurance, data security and in meeting what’s expected to be a wave of regulation aimed at protecting individual consumers’ privacy.
The bottom line for corporate executives is that they can no longer afford to delegate sole responsibility for understanding and implementing their company’s data protection and liability provisions to the IT department.
“There are CEOs losing their jobs and CIOs losing their jobs, maybe fines levied against the company, and a lot of reputational risk,” said Bruce Lehrman, CEO of the Cedar Rapids data hosting and cloud services provider Involta. “People are taking it very seriously.”
One of the biggest challenges for companies, Mr. Lehrman said, is knowing the right amount of investment in data security to protect the business and its clients.
“You can spend 100 percent of your available cash for security and you don’t really know if it’s working or not until it doesn’t,” he explained. Most businesses will try to find a sweet spot in the middle, often “quarantining” truly sensitive data in a more protected part of their network and investing where they think it will do the most good.
The cost of staffing up to protect a company’s data is also growing, with information security professionals in short supply, and such “golden ticket” certifications as CRISC (Certified in Risk and Information Systems Control) in especially high demand, according to Jaret Pfluger, president of the Iowa chapter of ISACA, the industry’s certifying body.
The CRISC certification requires five years of experience and passage of a four- to five-hour examination, Mr. Pfluger said, among other requirements.
Getting such a certification puts professionals close to a guarantee of a job offer at an annual salary of $110,000-$125,000, he noted, leading to a rise in interest despite its difficulty.
The salary for a chief security officer – the top IT security professional in most organizations – is more than $200,000 per year in Iowa, according to salary.com, which places the salary range for the position at $174,786- $230,993 as of Sept. 1.
Like many other data hosting providers, customers are now asking Involta to be a bigger part of the solution.
“We’re investing in building security operations centers,” Mr. Lehrman said. “We’re currently building two 24/7 security operations centers to offer interpretations of the [network] alerts and [security] alarms as they’re coming in.”
Merging cybersecurity and physical security systems has become a hot trend in the industry. Hillcrest Holdings, the family holding company that owns CRST International in Cedar Rapids, recently made its first major investment outside the trucking industry in Converged Security Solutions (CSS), a new company formed by merging a cybersecurity firm with a physical security company.
Security devices such as alarm systems and surveillance cameras are increasingly connected to the internet, posing cybersecurity vulnerabilities, while a new universe of internet-connected devices ranging from lights to Amazon’s Alexa voice service create cyber risks to physical security, according to Bob Friedenberg, CEO of CSS.
By merging the two worlds, Mr. Friedenberg says managed security services will be able to detect aberrations such as the same individual being shown logging into a network from one location, while an access card or biometric scan for physical access shows him or her at another location.
CSS offers security services nationwide from its operations in Reston, Virginia, and has security certifications that are required by federal agency clients, such as ISO/IEC 27000 and NIST 800-71.
“Eventually, they’re just going to be part of doing business,” Mr. Friedenberg said, foreseeing a day when most corporations require companies they do business with to have the certifications.
The credentials signify “a healthy process of how you’re going to manage every aspect of security and how you will audit compliance,” he said.
On an individual level, users who’ve been able to access their apps and accounts with one password should expect more complex login requirements in the years ahead, according to Greg Edwards, CEO of Watchpoint, the Cedar Rapids-based cybersecurity firm.
Ease of access to data and the internet is “now at its height”, Mr. Edwards told Cedar Rapids’ Downtown Rotary club earlier this year, and users should expect more safe- guards that will take time and effort to navigate. Instead of a single password, he said multi-factor authentication will become the norm, likely with additional safeguards such as answering a personal question or identifying an image they previously selected from a grouping. Biometrics such as facial recognition or a fingerprint could also become part of the mix.
“And really what I think will be the ultimate way to protect people’s networks and their logins will be a key, so that you have an actual hardware key,” Mr. Edwards said, referring to such increasingly popular devices as the YubiKey from Yubico. “You log in and press the button, and it’s an encrypted key that says ‘yes, this is me.’”
YubiKey is a small device that looks like a thumb drive and retails for about $50. When plugged into a USB port, the device can complete the second half of a multi-factor authentication test by verifying it’s you logging in, providing a new level of physical security while also simplifying the process of accessing online services like Google, Facebook and Dropbox. Different key models offer different functions, but the most basic function when activated by a touch sensor is to create a character string that implements a one-time password.
Global regulation hits home
Another reason that the data security can’t be left solely to the IT department is the move to regulate data-collecting companies such as Facebook and Google more tightly.
A pivotal moment in that movement arrived on May 25 when the European Union’s General Data Protection Regulation (GDPR) took effect.
Under GDPR, data subjects have “lots of rights with respect to their information,” according to Jason Sytsma, an attorney at Shuttleworth & Ingersoll in Cedar Rapids specializing in intellectual property, data privacy and security.
Those include the right to obtain copies of the information companies collect about them on the web, the right to ask social media companies like Facebook or Google what information they’re collecting and whom they’re transferring it to, and the right to have most or all of their information deleted from social platforms.
Companies that collect consumer data online already face potential scrutiny from the Federal Trade Commission when data breaches occur, according to Mr. Sytsma, and the state of California has had its Online Privacy Protection Act in effect since 2003. That law requires websites to have privacy policies expressed in plain English and to identify the types of information they collect, who might use it and how their online activities could be tracked.
California followed that law with passage of the California Consumer Privacy Act of 2018, or AB 375, in June of this year. The law, set to go into effect in 2020, places even stricter controls on the way companies doing business in the state use consumer data. It sailed through the California State Assembly unopposed with significant support from the business community in order to head off a ballot initiative that would have gone much further, supported by a statewide consumer privacy group.
With GDPR taking effect, and California’s AB 375 looming on the horizon, many businesses will have to invest in compliance measures, Mr. Sytsma said, although not necessarily all. AB 375, for instance, does not apply to companies with less than $25 million in revenue, those interfacing with fewer than 50,000 consumers annually or those not in the business of selling personal information.
GDPR covers companies established in Europe or their subsidiaries in other countries, companies outside the European Union that offer goods or services to “data subjects” in the EU, and entities outside Europe monitoring the behavior of EU data subjects using tools such as cookies.
“Initially, GDPR and the regulators are going to be looking for the big data companies – Facebook, Google, Amazon and so on will be complying with the new data laws,” Mr. Sytsma said. “The small business in Iowa that has a website and maybe some sales to a small European customer base, or even a business-to-business company, aren’t going to be the focus of enforcement initially.”
Still, big violators will face big penalties, with GDPR allowing for administrative fines of up to 40 percent of a company’s annual global sales. For smaller companies, Mr. Sytsma said simply not doing business in Europe is one approach, but that may not be necessary.
“Getting a good understanding of the data you’re actively collecting, processing and storing is a good first step,” he said. “Maybe the amount of data you’re collecting is not that great, and it might be easy to take the necessary steps to comply. I don’t think GDPR is the type of regulation that’s just going to shut U.S. companies out of Europe, or convince U.S. companies it’s not worthwhile to do business in Europe anymore.”
Cyber insurance goes mainstream
As more companies seek reimbursement for data breaches through their ordinary business insurance and find out where the holes are, data breach coverage is evolving and moving to more specialized cyber insurance policies.
Within the last five years, many business insurance providers began including $100,000 of data breach protection within their general liability policies for businesses.
“That’s a Band-Aid,” said Matt Evans, principal and practice leader at TrueNorth Companies, the Cedar Rapids-based insurer. “If you really believe you have cyber exposure, you need a cyber policy.”
Mr. Evans said cyber policies have shifted over the past decade from somewhat vague “off-the-shelf” policies that mainly compensate customers and business partners injured by data breaches to include first-party coverage for the insured business to pay for things like customer notification and the cost of getting a post-breach security audit.
The changes reflect the acceptance that cyber risk is different than ordinary threat coverage. For instance, many business owners are having to learn about bitcoin, the blockchain-based electronic currency preferred by cybercriminals for data ransoms because it can’t be traced.
“They need bitcoin and the ability to fend off a ransomware demand,” Mr. Evans said. “We can really craft the policy now to fill the exact need.”
The costs of cyber policies vary widely, Mr. Evans said, with the most significant factors being the number of records a company maintains and its annual revenue. He offered a few examples at the CBJ’s annual Cyber Security Breakfast, including a manufacturer with $15 million in annual revenue that pays a roughly $5,600 premium for a $2 million cyber policy, and the city of Houston, which pays $471,000 per year for a $30 million cyber policy.
The Eastern Iowa city of Muscatine was targeted in a ransomware attack in October. The city was locked out of its servers used for processing things like parking ticket payments, library book checkouts and building permit applications. The systems were gradually restored, but the entire process took weeks.
“A few years ago, we decided to add cyber insurance,” City Administrator Gregg Mandsager said in a news release. It paid for cybersecurity specialists to isolate the attack and help restore systems to normal. “Given the increasing number of these kind of attacks, we decided to be proactive and purchase the insurance. The decision has proven to be a good one.”
Still, some sectors of the business world have been slow to get on board. Brandon Besong, who specializes in cyber policies at TrueNorth, said building and mechanical contractors have been slower than most, believing that they don’t have a big enough customer base or cash flow to warrant it.
The data security arms race is expected to continue to escalate, and many emerging threats would have been unimaginable 10 years ago. They include “cryptojacking,” or taking over a computer’s processing power to “mine” cryptocurrency, and the use of cell site simulators to steal data transmissions from the airwaves.
With more areas of vulnerability constantly emerging, there’s little chance that any business can avoid exposure.
“What we always say [about cyber coverage] is, ‘we hope they never have to use it,’” Mr. Besong said.
CBJ Editor Adam Moore contributed to this report.