Expanding Cybersecurity Solutions
Five data security questions for SMBs in light of the expanding consumer privacy laws
- By Richard Kanadjian
- Oct 01, 2019
With the expansion of privacy laws abroad
and in the U.S.—HIPPA, CCPA, and
GDPR as examples—data breaches are
serious issues for any company that holds
PII (Personally Identifiable Information)
of consumers and or any other sensitive information.
California’s Consumer Privacy Act (CCPA) goes into effect on
January 1 and will affect not only companies in California, but
also companies nationwide with serious financial penalties for
businesses. Already in effect is the European Union’s GDPR
regulation, where non-complying organizations can be fined up
to 4 percent of annual global turnover or €20 million, about $20
million-plus U.S. dollars, or whichever is greater.
Under GDPR, companies can be fined for not having their records
in order, not notifying the supervising authority and those
affected by a breach, or not conducting an impact assessment.
How businesses store, transport and manage consumer and
company information has become critical for not only large companies,
but small and medium-sized businesses (SMB) as well.
What Could a Data Breach Cost a SMB?
Data breaches are not just a risk for large businesses and government
agencies. Small businesses that collect customer and other sensitive
personal information are also at risk in today’s high-threat environment.
Verizon found in their 2019 Data Breach Investigations
Report that 58 percent of all cyberattacks target small businesses.
The cost of a data breach for a SMB is a topic of debate between
leading researchers and companies. The Ponemon Institute
put the average cost for a small business that was hacked at
$690,000 and over $1.2 million for a mid-sized business in 2018.
Kaspersky Lab found that the average cost of a data breach and
recovery to a small business is $269,000—$120,000 for the data
breach and $149,000 for breach recovery. Either way, a data
breach could lead to more than just loss of money for a SMB.
How Does the California Consumer
Privacy Act (CCPA) Affect Businesses?
While the CCPA is meant to enhance the privacy rights and consumer
protection for the residents of California in the United States, as with many laws enacted in the state, the law will affect
any business that has customers who are based in California—
which describes many companies around the world.
CCPA can apply to businesses even if they do not have offices
or employees in California. The criteria to determine if this law
will affect your business are (any one of the three make the law
apply to your business):
- Do you have gross revenue over $25 million, or
- Do you possess the personal information of 50,000 or more
consumers, households or devices, or
- Do you earn more than half your annual revenue from selling
consumers’ personal information?
If the new CCPA applies to your company, the intentions
of the law are to provide California residents (defined broadly
enough to cover consumers, employees, business contacts and
others) with the ability to know what personal data is collected
about them (and have access to this information); how that data
is used, sold or disclosed; ability to say no to the sale of personal
data; request their data to be deleted, and more.
Do Employees Bring Their Own Storage
Devices For Back Up and Transfer?
BYOD, or Bring Your Own Device, is a key threat to even the
most robust cybersecurity plan that a small business could put in
place. The tremendous portability and exceptional ease of USB
drives have proven to increase productivity to millions of businesses
and government agencies. However, since most of these
drives are unencrypted, they can pose a major security risk to the
user storing anything more valuable than public data.
Their extreme portability means they are very susceptible to
being lost, accessed or misappropriated. When that happens,
there is a fairly good chance that data stored on the device will
end up in the wrong hands, risking the user’s or company’s privacy
and security.
Having a company policy of standardizing on the use of hardware-
based encrypted USB drives is a key factor in a USB drive’s
ability to provide the safest, most trustworthy means to store and
transfer personal, classified, sensitive data. Experts say the use of
an encrypted USB flash drive is the best solution for keeping confidential
information what it was intended to be—confidential.
From a cost perspective, hardware-based encrypted USBs are
not much more expensive than non-encrypted devices—and they
are like insurance against the unthinkable—the loss and breach
of private data that could be exposed otherwise.
The use of encrypted USB drives can also provide legal protection
with regulations such as HIPPA, CCPA, GDPR and other
regulations that affect many industries and professions.
What is The Difference Between
Hardware and Software Encryption?
Not only is encryption vital in USB drives securing and protecting
data, how that encryption is performed is likewise important.
Users have two choices: hardware and software-based encryption.
USB drive encryption can be done through either the device’s
hardware or software. A hardware-centric/software-free encryption
approach to data security is the best defense against data
loss, as it eliminates the most commonly used attack routes. This
software-free method also provides comprehensive compatibility
with most OS or embedded equipment possessing a USB port.
Hardware-based encrypted USB drives are self-contained,
don’t require a software element on the host computer, and
are the most effective means in combating ever-evolving cyber
threats. Hardware-encrypted USB drives protect against the possibility
of brute force, sniffing and memory hash attacks due to
their security being self-contained inside the drive.
Software-based encrypted drives are designed differently.
They share a computer’s resources with other programs. The encryption
is not done on the USB drive at all. A software program
on the computer encrypts the data, then stores it on the USB
drive. To read it back, a software program must be run on the
computer to decrypt the data. Because of this computer-based
encryption process, the USB drives themselves are vulnerable. In
some cases, there are compatibility issues with older operating
systems that may make the data unreadable.
How Can I Protect My Company’s Sensitive
Data and Not Hinder Productivity?
There should be standardization for best practices for what
is known as data “at-rest” or “in-transit.” While the most common
storage medium is the use of inexpensive USB drives, the
best practice is to standardize on hardware-based encrypted USB
drives. This practice will provide efficiency and security to mobile
data for anyone. Even accessing Cloud storage can be risky
– while you access the internet at a coffee shop, someone else may
be trying to hack your system. If you carry your data on a hardware-
encrypted drive, you can work on your data and keep your
internet turned off while in an untrusted open Wi-Fi area.
So, where do you start? As a small or medium business, you
more than likely aren’t going to need the same level of protection
that large companies and government agencies require. There is
a range of easy-to-use, cost-effective, encrypted USB flash-drive
solutions to choose from that can go a long way toward mitigating
your privacy and security risks, and, quite possibly, save you
money and stress.
Encrypted USB drive manufacturers provide you with options,
no matter your needs. For SMBs, Kingston’s DataTraveler
Vault Privacy 3.0 USB Flash drive provides affordable businessgrade
security. The encrypted solution features 256-bit AES
hardware-based encryption in XTS mode (this is state-of-the art
encryption). It protects 100-percent of data stored and enforces
complex password protocol with minimum characteristics to prevent
unauthorized access. For additional peace of mind, the drive
locks down after 10-incorrect password attempts. It also features
a read-only access mode to avoid potential malware risks
Data security and consumer privacy are not only concerns for
large businesses. SMBs are facing the same issues
with smaller budgets, so identifying cost
effective ways to mitigate the risk is paramount
as we prepare for 2020.
This article originally appeared in the October 2019 issue of Security Today.