I was honored to be part of the Greater Miami Chamber of Commerce hosted a panel discussion entitled The Convergence of Technology & Banking: Security & Compliance. The panel consisted of Andrew Obuchowski, Jr. of McGladrey LLP, Patrick Whelan of All Covered, Tom Neclerio of SilverSky, and me. While the subjects discussed were wide ranging, there were some themes that were repeated throughout the conversation.
The threats from phishing and social engineering are increasing
We have all received emails and phone calls that seemed suspicious. We on the panel agreed that these attacks are becoming more frequent and more sophisticated. No longer is a Nigerian prince asking for money. Instead, emails that look like they come from a legitimate company appear in an attempt to fool the recipient into disclosing account credentials or personal information.
Third party service providers are frequently involved in breaches, but it is a minor detail
Many of the recent large data breaches that have produced headlines have a root cause involving a third party service provider. While those of us in privacy and security take note of this, the media consider it a minor detail. As I think more about it, I suggest that the level of attention the third party involvement receives is appropriate. After all, it is the breached party, the data controller, who has the responsibility to verify that the data they collect is properly protected no matter where the data travels.
Paper breaches frequently happen, but they are kept quiet
Maybe the volume of information lost in a paper-based data breach is so much smaller than that involved in an electronic-based data breach that the media doesn’t find the story interesting or sexy. What ever the reason these events are kept quiet, paper-based data breaches occur frequently so businesses must be prepared to address them.
Businesses need and must test incident response and crisis communication plans
All of the panelists were able to point to at least one situation where a company had been hacked but didn’t know about it. Without an incident response plan in place, the effected organizations would have to decide what to do on the fly with many of these decisions not well thought out. Preparing an incident response plan and creating a crisis communication plan will allow a business the opportunity to think through the actions they should take in the event of a data breach. Testing these plans assures the organizations that the best actions will be required by the plan and that the plans will be followed.