Where is the best website for breach data history? This has been a common question and one that everyone seems to have a personal answer to. In the spirit of Cyber Security Awareness Month, here are some good resources to consider.

As breaches to our privacy continue on a daily basis, they can be hard to keep up with. These resources can help you justify and improve your preventative, detection, and responsive investments.

https://www.privacyrights.org/data-breaches – This site allows you to search on the data based on 8 Type categories (i.e. Payment card), 7 Organizational categories (Education, Military) and Year (back to 2005).

http://breachlevelindex.com/ – This site has good visuals and shows summarized data over time. It also allows for data compilation over Type, Industry, and Source.

http://www.idtheftcenter.org/Data-Breaches/data-breaches – The Identity Theft Resource Center has compiled breach data since 2005, and allows access to their summarized graphs and charts.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/ – If you want a thorough and well-written report, then I suggest the Verizon at the Data Breach Investigations Report.

https://dashboard.healthit.gov/quickstats/quickstats.php – For good summarized information on healthcare, the Office of the National Coordinator for Health Information Technology provides up to date dashboards and data sets.

The recent Equifax breach shows what a massive and destructive force not learning from our mistakes can be. If you need any help in understanding how to put these lessons into practice, contact us at American Cyber Security Management.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels

With the General Data Protection Regulation (GDPR) from the European Union (EU) nearing enforcement in May 2018, many still see it as a project.

Many enterprises still see GDPR as a project and not a privacy strategy. Here are some excerpts from conversations I have had with managers about GDPR:

• “Since Safe Harbor failed we’ll see what happens with GDPR.”
• “I don’t think it applies to us”, this was a SaaS based company.
• “We know this is very important, but we have so many other things to do.”
• “We really need help here; this is a very big deal.”
• “We have a project manager and myself, we need more help.”

GDPR implementations are still in their early days and time will tell on the impacts of non-compliance. However, it is clear that bringing together the regulatory and compliance sides of the enterprise with the mainstream product, marketing, and engineering sides is becoming more urgent. In an Agile culture of rapid delivery, integrated teams, and more intimate customer conversations, enterprises still struggle to fully incorporate their legal and compliance teams into the process. When was the last time you saw a lawyer in a scrum? Have your product owners ever engaged legal in defining a privacy model? It is hard enough to get security requirements into stories, how will enterprises incorporate privacy?

GDPR’s requirements around EU citizen rights will surely make an impact in how global enterprises handle EU citizen data. Many see this as a new default privacy model and embrace the change; others are still determining what it means to their organizations. In either case, GDPR shines a light on the opportunities for enterprises to integrate privacy, governance, and product in order to improve the quality of services we all consume.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

Are you ready for GDPR? Penalties, that is. The General Data Protection Regulation (GDPR) from the European Union (EU) has been announced and required for ANY company that sells to or monitors European citizens, since early 2016.

GDPR is an international law that has already been enacted. This law is intended to clarify and strengthen prior privacy laws and is extremely encompassing, and global in nature. It enforces that data is used in a lawful, fair and purposeful manner. It requires companies who use personal data to do so in a minimalistic fashion, ensure the data is accurate, protected, and durable. The responsibility for the compliance focuses on the use, or processing, of the data. The scope drives responsibility from the controller of the system down to the potentially multiple processors and sub-processors, making this thorough and inescapable for most businesses.

This law requires that EU citizens be given certain rights when they use software systems. These basic privacy rights are:

• Right of Access
• Right of Rectification
• Right of Erasure
• Right of Restricted Processing
• Right of 3rd-Party Notification
• Right of Data Portability
• Right to Object

Any company that is found to be in breach of these new requirements will be subjected to a €20 Million or 4% revenue penalty, whichever is greater. For those companies that have only started their analysis or partially through their implementation may face a €10 Million or 2% revenue penalty. This law has significant risk for smaller businesses who are not in compliance or only partially compliant.

There is no doubt that GDPR is the biggest change in recent privacy law. Taking a risk-based approach to your implementation will be important. Your implementation could be large, take years and cost millions, or it could be as simple as documentation, change of process and some new technology.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

If you are unsure if GDPR applies to you, or wish to investigate with an assessment, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialist can help you make sense of and comply with GDPR.

Have you moved to the cloud yet? Why not, the security is great up here?

With all of the cloud survey’s out there it is easy to see how the adoption of cloud computing has risen over the past 10 years. A hybrid cloud seems to be the most commonplace approach for most enterprises, and Amazon, Microsoft, and Google are the largest Infrastructure as a Service (IaaS) providers, in that respective market share order. We even see Docker being used by over 30% of Cloud consumers.

However, not everyone is in the cloud yet and the resistance is deep-rooted. With all the challenges to moving existing workloads off-premise such as planning, new architecture design, the actual move and downtime, explaining the change to your customers, and change management, there is still one very large challenge: Security. “Will I be as secure or more secure in the cloud?” The answer is “Yes!” and even more so if you make intelligent decisions about your controls and processes.

The Cloud, in general, is advanced enough that it enables a solid platform of control for any company. Each IaaS vendor provides a definition of responsibility and specific controls for the enterprise to manage, and are the largest enablers to security. Not only is an enterprise afforded more controls but these new controls are also transparent and auditable. Most IaaS providers are SOC1, SOC2, SOC3, and ISO-27001 certified. The controls and IT services allow for a least privileged model of implementation, which is critical for new enterprise adoption. There are services to enable network segmentation, as well as services for Disaster Recovery, DDoS mitigation, and service elasticity. The use of micro services is now commonplace, allowing for an even closer relationship between customer consumption of services and the financial models of the enterprises. Two of the most important features from IaaS providers are the ability to centralize and automate service management. By leveraging centralized management of services we gain an ability to create a homogeneous deployment footprint based on hardened templates. This then allows for an approach to manage a library of templates, which we find easier to scale the services and ensure a common baseline. Centralization also allows for easier growth and lower costs. Automation services are readily available from the top IaaS providers as well. These services can span the entire software supply chain from development, test, staging and production environments. Automation can ensure these templates are deployed correctly, specific modifications are managed, rollback with purpose and burdens to change management are eased. By coupling automation and centralization we create an extremely secure foundation which most organizations can leverage for their business agility, in a secure fashion.

We all know it is cheaper up here in the cloud, but we also now need to realize it can be safer too.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.