The CCPA ripple effect in the enterprise: How to prepare
Rising enterprise costs under CCPA
The CCPA states that a consumer has the right to sue if their data is leaked during a breach and it is found that the company did not “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” This means that a data breach will not only result in a loss of consumer trust, it will come with heavy financial consequences. As it stands, the typical costs of a cyberattack (which includes IT response, forensics and recovery, insurance and notification) already averages around $1.67 million. Now companies need to be prepared for the additional financial burden of litigation and settlement payouts.
While enterprises have been given a one-year exemption on some aspects, CCPA states that once the full force of the regulation comes into play, consumers will have the right to make requests that extend to the previous 12 months. Given that, and the significant amount of time it takes to roll out new cybersecurity programs at scale, some organizations have already begun to implement the following practices.
Defending with zero trust
The complexity of proper data management and protection is increasing as global work structures continue to evolve. As systems become more interconnected and employee mobility continues to rise, data not only travels more frequently, it often operates outside the bounds of traditional forms of security. Security models that worked well in the past – like firewalls – are no longer as effective at minimizing the risk of cyberattacks. Instead, organizations are turning to the concept of “zero-trust” as the basis of cybersecurity frameworks.
Traditional security models assume that everything within an organization’s network can be trusted by default. A zero-trust model, on the other hand, assumes that all data, devices, apps and users inside or outside of the corporate network are inherently insecure and must be authenticated/verified before being granted access. A zero-trust framework calls for companies to stop utilizing default configurations and instead operate with a “trust nothing” mindset that requires continuous monitoring of all network communications, users and systems. Zero-trust draws on tools such as multi-factor authentication, end-to-end encryption, identity access management, orchestration and other comprehensive system permissions and safeguards.
Avoiding use of consumer technologies
While zero-trust is a dynamic and holistic architecture that underpins cybersecurity processes, it is still important for businesses to evaluate all technologies that may come into contact with consumer data for weaknesses. Under CCPA, companies not only need to seek permission to collect and process customer data, they must make that personal data available to any tools (third party or otherwise) that they use internally for collaboration. This is a much bigger issue than it may seem from the outset — teams often share documents using public cloud-based platforms like Google Docs. They also may share data when communicating internally via channels like email, and messaging apps like WhatsApp, Slack, Microsoft Teams and others. All of these points of contact create an inherent risk, especially if the technologies being used lack proper cybersecurity protocols.
The successful hack of Jeff Bezos’ phone in January was a prime example of how the use of technologies that are not sanctioned by IT and cybersecurity departments can expose enterprises to cyberattacks. Bezos made a critical mistake by using WhatsApp (an app best for personal use) on a corporate phone that was connected to corporate data and systems. This incident demonstrates two things: first, the ease with which a bad actor can access company data through a single weak point. Second, the need to minimize shadow IT and enforce the use of tools built for enterprise security. The hack particularly highlighted the fact that not all end-to-end encryption protocols are equally effective – this is why market-leading technology providers and experts are working together to create an industry standard for encryption protocols (e.g. Messaging Layer Security). However since these industry standard protocols are still being developed, enterprises need to think beyond end-to-end encryption technology to ensure proper protection. This shift even goes beyond the enterprise into the government sector – the United Nations took it a step further and publicly announced that the use of WhatsApp is now banned for internal communications since it is “not supported as a secure mechanism.” A common thread amongst these tools is that end-to-end encryption is a basic requirement, not a special feature. These types of tools often have the zero-trust ideology at their core so they approach security holistically – from deployment (mostly on-premise) to cryptography protocols (advanced tools use the “forward secrecy” protocol where new encryption keys are used for every message and file sent, and every call made). A few examples of tools like this that are being used include, Joiqu, PCloud, Smartsheet and Joplin.
Investing in cyber insurance
Enterprises are realizing that figuring out worst-case scenario arrangements is just as important as investing in preventative measures. Even if a company follows a zero trust approach, there is always a chance that a bad actor with enough time and resources will be successful in finding a weakness. A successful cyberattack can cause catastrophic damage to a business – halting operations, ruining reputations and customer relationships and inflicting major financial strain when trying to regain control of systems and data. As a result companies are investing heavily in cyber insurance policies — the market is slated to hit $14 billion by 2022. However, it’s important that companies understand that cyber insurance is not a silver bullet solution. It should be an extra precaution in addition to proactive defense measures like instituting zero trust infrastructure and utilizing security-first tools.
The biggest mistake companies can make at this juncture would be to assume there is a lot of time before regulations like CCPA affect the enterprise realm. The advent of CCPA is an indication of a shift in the tide of government regulation as a whole. When GDPR was created, one of the key objectives was to fix the fragmented regulation landscape caused by different national laws in the EU, in order to provide legal clarity for both individuals and businesses. Similarly, the US will soon find its way to a regulation that is unified and absolute across all industries. This may, in fact, happen sooner than expected as state-level laws are already being called into question for effectiveness and enforceability.
Companies that want to survive and stay ahead of the curve need to start now. Those that don’t will eventually find themselves tangled in outdated cybersecurity practices, buried in technical debt and facing uncertain legal (and financial) futures.