Expanding Cybersecurity Solutions

Expanding Cybersecurity Solutions

Five data security questions for SMBs in light of the expanding consumer privacy laws

With the expansion of privacy laws abroad and in the U.S.—HIPPA, CCPA, and GDPR as examples—data breaches are serious issues for any company that holds PII (Personally Identifiable Information) of consumers and or any other sensitive information. California’s Consumer Privacy Act (CCPA) goes into effect on January 1 and will affect not only companies in California, but also companies nationwide with serious financial penalties for businesses. Already in effect is the European Union’s GDPR regulation, where non-complying organizations can be fined up to 4 percent of annual global turnover or €20 million, about $20 million-plus U.S. dollars, or whichever is greater.

Under GDPR, companies can be fined for not having their records in order, not notifying the supervising authority and those affected by a breach, or not conducting an impact assessment.

How businesses store, transport and manage consumer and company information has become critical for not only large companies, but small and medium-sized businesses (SMB) as well.

What Could a Data Breach Cost a SMB?

Data breaches are not just a risk for large businesses and government agencies. Small businesses that collect customer and other sensitive personal information are also at risk in today’s high-threat environment. Verizon found in their 2019 Data Breach Investigations Report that 58 percent of all cyberattacks target small businesses.

The cost of a data breach for a SMB is a topic of debate between leading researchers and companies. The Ponemon Institute put the average cost for a small business that was hacked at $690,000 and over $1.2 million for a mid-sized business in 2018. Kaspersky Lab found that the average cost of a data breach and recovery to a small business is $269,000—$120,000 for the data breach and $149,000 for breach recovery. Either way, a data breach could lead to more than just loss of money for a SMB.

How Does the California Consumer Privacy Act (CCPA) Affect Businesses?

While the CCPA is meant to enhance the privacy rights and consumer protection for the residents of California in the United States, as with many laws enacted in the state, the law will affect any business that has customers who are based in California— which describes many companies around the world.

CCPA can apply to businesses even if they do not have offices or employees in California. The criteria to determine if this law will affect your business are (any one of the three make the law apply to your business):

  • Do you have gross revenue over $25 million, or
  • Do you possess the personal information of 50,000 or more consumers, households or devices, or
  • Do you earn more than half your annual revenue from selling consumers’ personal information?

If the new CCPA applies to your company, the intentions of the law are to provide California residents (defined broadly enough to cover consumers, employees, business contacts and others) with the ability to know what personal data is collected about them (and have access to this information); how that data is used, sold or disclosed; ability to say no to the sale of personal data; request their data to be deleted, and more.

Do Employees Bring Their Own Storage Devices For Back Up and Transfer?

BYOD, or Bring Your Own Device, is a key threat to even the most robust cybersecurity plan that a small business could put in place. The tremendous portability and exceptional ease of USB drives have proven to increase productivity to millions of businesses and government agencies. However, since most of these drives are unencrypted, they can pose a major security risk to the user storing anything more valuable than public data.

Their extreme portability means they are very susceptible to being lost, accessed or misappropriated. When that happens, there is a fairly good chance that data stored on the device will end up in the wrong hands, risking the user’s or company’s privacy and security.

Having a company policy of standardizing on the use of hardware- based encrypted USB drives is a key factor in a USB drive’s ability to provide the safest, most trustworthy means to store and transfer personal, classified, sensitive data. Experts say the use of an encrypted USB flash drive is the best solution for keeping confidential information what it was intended to be—confidential. From a cost perspective, hardware-based encrypted USBs are not much more expensive than non-encrypted devices—and they are like insurance against the unthinkable—the loss and breach of private data that could be exposed otherwise. The use of encrypted USB drives can also provide legal protection with regulations such as HIPPA, CCPA, GDPR and other regulations that affect many industries and professions.

What is The Difference Between Hardware and Software Encryption?

Not only is encryption vital in USB drives securing and protecting data, how that encryption is performed is likewise important. Users have two choices: hardware and software-based encryption.

USB drive encryption can be done through either the device’s hardware or software. A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method also provides comprehensive compatibility with most OS or embedded equipment possessing a USB port.

Hardware-based encrypted USB drives are self-contained, don’t require a software element on the host computer, and are the most effective means in combating ever-evolving cyber threats. Hardware-encrypted USB drives protect against the possibility of brute force, sniffing and memory hash attacks due to their security being self-contained inside the drive.

Software-based encrypted drives are designed differently. They share a computer’s resources with other programs. The encryption is not done on the USB drive at all. A software program on the computer encrypts the data, then stores it on the USB drive. To read it back, a software program must be run on the computer to decrypt the data. Because of this computer-based encryption process, the USB drives themselves are vulnerable. In some cases, there are compatibility issues with older operating systems that may make the data unreadable.

How Can I Protect My Company’s Sensitive Data and Not Hinder Productivity?

There should be standardization for best practices for what is known as data “at-rest” or “in-transit.” While the most common storage medium is the use of inexpensive USB drives, the best practice is to standardize on hardware-based encrypted USB drives. This practice will provide efficiency and security to mobile data for anyone. Even accessing Cloud storage can be risky – while you access the internet at a coffee shop, someone else may be trying to hack your system. If you carry your data on a hardware- encrypted drive, you can work on your data and keep your internet turned off while in an untrusted open Wi-Fi area.

So, where do you start? As a small or medium business, you more than likely aren’t going to need the same level of protection that large companies and government agencies require. There is a range of easy-to-use, cost-effective, encrypted USB flash-drive solutions to choose from that can go a long way toward mitigating your privacy and security risks, and, quite possibly, save you money and stress.

Encrypted USB drive manufacturers provide you with options, no matter your needs. For SMBs, Kingston’s DataTraveler Vault Privacy 3.0 USB Flash drive provides affordable businessgrade security. The encrypted solution features 256-bit AES hardware-based encryption in XTS mode (this is state-of-the art encryption). It protects 100-percent of data stored and enforces complex password protocol with minimum characteristics to prevent unauthorized access. For additional peace of mind, the drive locks down after 10-incorrect password attempts. It also features a read-only access mode to avoid potential malware risks

Data security and consumer privacy are not only concerns for large businesses. SMBs are facing the same issues with smaller budgets, so identifying cost effective ways to mitigate the risk is paramount as we prepare for 2020.

This article originally appeared in the October 2019 issue of Security Today.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3