The importance of education and training in striving for the best possible cybersecurity outcomes can’t be overestimated. Within organizations, management looks to these initiatives as a way to inform employees about an ever-evolving cyberthreat landscape replete with risks and the potential for losses. Regularly scheduled training also provides a method for documenting employee compliance and a “checked box” for security efforts.
But staying compliant with regulations, laws, and internal policies is not a guarantee of perfect security. I often think that we’d all like to believe that completing that 15-minute module three weeks ago on how to spot an email scam (the one that really only took five minutes to finish) is enough to ensure our organization’s security. Everyone who was assigned the training has completed it—that’s enough, right? This false sense of security frequently weakens the culture of security that training and education are supposed to support.
In 2013, Target fell victim to a massive breach that left millions of customers’ data vulnerable to hackers. The attack continues to cost Target even now, as the organization has decided to pursue legal action against its insurer for $74 million, alleging that it was not reimbursed for issuing new payment cards to customers.1 Substantial reputational and financial damages ensued as a result of the breach, and clearly, Target is not completely out of the woods. The scary thing? As a recent journal article pointed out, “In 2013, Target was certified PCI DSS compliant weeks before hackers installed malware on the retailer’s network.”2
Compliance with Payment Card Industry (PCI) standards would have had upper management feeling pretty good about their security. While the Payment Card Industry Security Standards Council has set forth these standards as a minimum baseline by which an organization should abide, I think it’s fair to say that a large majority of PCI-compliant organizations take a passing audit as an A+ for security, “set it and forget it” until the next audit, and pat themselves on the back when they pass again. The fact is, Target’s compliance meant little in providing an overall view of its security posture; PCI compliance could not predict that when technical controls alerted Target to an intrusion, they would be ignored.
Compliance with technical control standards can never override the human element of security. In Target’s case, compliance with PCI standards did not have any impact on day-to-day security practices. Organizations can support security, budget appropriately, pursue compliance, assure customers and clients of their attention to latest requirements and best practices—and still be insecure. Accounting for the human element requires interactive, regular training that considers each employee’s unique role in contributing to an organization’s security culture. While every employee is responsible for security, different roles and responsibilities require personalized education. Additionally, training for new technologies—as well as an organization’s incorporation of the Internet of Things—should always be provided across departments.
Attorneys are held to an especially high standard when it comes to the information they protect. According to the American Bar Association’s Formal Opinion 477R, “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”3 The reasonable efforts required by the legal community to prevent data breaches necessitate thorough education that takes the firm’s specific needs, and types of data, into account. Compliance with policy is only worthwhile when upheld by a culture of security that acknowledges the unpredictability of a changing threat landscape.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 http://www.startribune.com/target-sues-insurer-for-at-least-74-million-in-2013-data-breach-costs/565169292/
2 https://www.csiac.org/journal-article/compliant-but-not-secure-why-pci-certified-companies-are-being-breached/
3 https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.authcheckdam.pdf
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.