Whether it’s the Equifax breach or the more recent Facebook breach, consumers are steeped in data breach news and notifications. During the Washington Post’s Cybersecurity Summit | 2018Cat Zakrzewski, a technology policy reporter at the Washington Post sat down with Anne Johnson, corporate vice president of the cyber security solutions group at Microsoft. They discussed both some of the common mistakes enterprises make today when it comes to data breach disclosure and how enterprises will struggle to find the right balance between speed of disclosure and the consumer’s need to know.
Breaches impact consumers and corporations on a daily basis, said Johnson. “One of the things that we find is companies are not always as disciplined as they could be with rigor around cybersecurity controls. I’m not talking about the acquisition of new technologies or new tooling: I’m talking about the use of things like multi-factor authentication, and the use of passwords for their domain environments,” Johnson said.
Johnson pointed to poor hygiene issues with enterprises as being all too common. These include password sharing and password reuse, as well as the weak implementation of passwords as a common area bad actors exploit.
When it came to whether or not businesses are correctly budgeting for security, Johnson said that companies are spending and that their spending on cybersecurity has been rising every year for about the past five years. However, they may not be spending wisely, she said.
“I think we as an industry can do better on education,” said Johnson. She also said while there is considerable spending on security tooling, there is underspending on awareness, especially considering how many generations are active in the workplace today. “Some of them [older workers] are not digital natives, and some of them didn’t start with technology,” she said.
Another area where enterprises struggle, especially in light of new data breach regulations that mandate disclosure, is data breach notification. This came to light recently with the Facebook breach, and as Zakrzewski pointed out, that the Facebook breach was one of the first significant breaches since GDPR went into effect.
“Facebook disclosed it [their breach] within three days. What impact do you think the new rules with GDPR and breach notification will have on industry,” Zakrzewski asked.
“It’s an interesting question,” Johnson said. As she watched Facebook’s response, she pointed to some things that Facebook got right. However, Johnson warned, organizations must use caution in their disclosures. “Like any investigation, it doesn’t just happen overnight. You have this balance of needing to notify, but you’re notifying with an incomplete set of information and information that is going to dynamically change,” said Johnson.
That balance will be difficult to reach as new data breach notification properly, and data privacy requirements, come online, Johnson said. These organizations will be forced to notify to a large consumer base of people who are not technology savvy and will have a tough time adequately protecting themselves with incomplete information.
This could, at worse, cause undue panic depending on how the media communicate it, or it could confuse what consumers should do in the face of the breach to protect themselves. “I think that is the biggest challenge to corporations right now,” she said.
Johnson said the most significant impact of GDPR would be upon breach notification laws, citing similar laws under discussion in the U.S. as well as similar laws around the world. Johnson said companies would have a challenging time because they will have to change how they conduct their incident response investigations dynamically.
Johnson also explained that because of Microsoft’s strong stance on privacy and customer data that they could, at times, notify beyond what is actually required by the breach motivation mandates. “Providing the information that is required under the breach notification doesn’t necessarily give the consumer the information they need to protect themselves online. You want to give the maximum amount of very descriptive and prescriptive information at the soonest point you can, while also being compliant,” she said.