On Tuesday, January 31, 2017, a lively panel discussed The Shifting Paradigm of Data Security: Intelligence & Big Data. The German Center for Research and Innovation and the European American Chamber of Commerce organized the event. The panel included Joanna Burkey, Chief Information Security Officer, at Siemens, Joseph V. DeMarco, Partner at DeVore & DeMarco LLP, Nicholas Johnston, Vice President at Duff & Phelps, and Philip Kibler, Head of Cyber Risk Consulting at AIG.
The panel discussed cybersecurity in the age of big data, especially when dealing with data flows across international borders. Below are some takeaways.
The speakers informed the audience of some recent hacking trends. As a common rule, the motivations for an attack remain mostly financial.
Several times they saw information stolen after the hackers had contacts with the target for several months and finally sent a link that would allow them to break into the targeted system and steal data with financial value. Overall, they highlighted how the broken link is almost always the human factor that – because of mistrust or inadequate training – allows the attack to take place.
A second trend consists of attacks brought against third parties or business partners. If your company is considered a “hard” target, the hackers may direct their effort to a somewhat “softer” target with weaker defense.
Once data is retained, blackmailing is common.
In addition, the panelists discussed camouflage techniques: hackers come in to stay and try not to get discovered. It is important to consider all abnormalities: they might reveal that the system is under attack.
Overall, it was pointed out that very often products are not adequately designed and the manufacturer are leaving customers vulnerable to cyber attacks.
The panel also discussed similarities and differences in data protection and privacy regulations between Europe and the US. The US is ahead on breach response and Europe could benefit from its experience/
It is always important to remember that each country has its own law. Each multinational organization or each processor shall comply with local privacy requirements.
However, the speakers stressed how compliance is a way to safeguard legal stand but it is not a guarantee for security.
The panel went on to highlighting some best practices in cyber security.
Prevention is key. Companies shall know their assets, meaning anything that is connected to internet. This way you will know what is vulnerable and be aware that it needs protection.
Collaboration within your own company is key.
Companies shall have a plan to respond to breaches. Details shall be well thought out. For example, how will top managers communicate after a breach?
It is also important to try the incident plan out so that the measures can be effectively implemented, just like it happens in case of fire drills.
Employees awareness and training is key.
Finally, the gathering discussed also whether it is advisable to retain information. On one hand, it was suggested to keep logs and data to facilitate breach investigation, on the other hand, it was highlighted how that data retention may be a liability. Two helpful comments suggested that it is important to filter what information shall be kept; not all data may be useful. Also, it is advisable to involve lawyers with technical support. This would allow for a rounded protection, as well as protect the attorney client privilege to possible communications.
The flyer to the event is available at http://germaninnovation.org…
For more information, Federica Romanelli