No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

With the CCPA Now in Effect, Organizations Must Improve Email Security Capabilities

Less Than Half of Businesses Are Ready to Comply

by Tony Pepper
February 7, 2020
in Data Privacy
man pulling back button down shirt to reveal target underneath

The CCPA’s reach extends far outside of California, and a huge proportion of businesses are still out of compliance. Egress CEO Tony Pepper shares a key vulnerability organizations should address immediately to close that gap.

On January 1, 2020, the California Consumer Protection Act (CCPA) went into effect with much fanfare. The new law, intended to enhance privacy rights and consumer protections for residents of the state, implements new individual data access and erasure rights, ensures the right for individuals to opt out of data selling and mandates stronger information security — among other measures. Modeled loosely on the European Union’s GDPR, the CCPA represents the strongest such law in the U.S.

The CCPA applies to any companies conducting business in California that either meet certain size thresholds or derive more than 50 percent of their annual revenue from the sale of consumers’ personal information. Bear in mind: This is not just for companies based in California; it applies to all companies doing any type of business in the state. As a result, the CCPA will have major ramifications for companies throughout the world that wish to continue operations involving California citizens. With other states expected to follow in California’s footsteps and enact stronger data protection laws of their own, it is critical for businesses operating in the U.S. to prepare themselves for this new reality. As businesses worked to achieve CCPA compliance, email security emerged as a critical component of any comprehensive data protection plan.

The Rise of BEC Scams Highlights One Vulnerability Likely to Run Afoul of CCPA

One area where the impact of CCPA will be keenly felt is email security. Once an organization’s data has been mapped and classified as called for under the new law, it is important to put systems in place to ensure that data is protected by design. This means more than having effective firewalls or putting systems in place to alert security teams to potential network intruders. In today’s world, the most effective cyberattacks are often the ones that target the most vulnerable part of any organization: its people.

Business email compromise (BEC) attacks, phishing scams and other social engineering-based attack methods are becoming an increasingly popular attack vector among cybercriminals. In fact, this September, the FBI released a public service announcement containing some startling numbers: Between October 2013 and July 2019, businesses lost an estimated $26 billion to BEC scams alone. These losses have not been limited to large organizations, either; the FBI is careful to note that the scams target small, medium and large businesses and even personal transactions.

BEC scams have been reported in all 50 states, as well as 177 other countries, with fraudulent transfers making their way to at least 140 different countries. One fraudster based in Lithuania recently pleaded guilty to defrauding Google and Facebook out of roughly $123 million — a staggering number that underscores the outsized financial impact that these scams can have, even on the companies assumed to be the most technologically savvy. These scams represent a widespread, global issue that businesses of all sizes need to be aware of and protect themselves against.

Of course, BEC scams are just one example of how cyberattacks target human fallibility, but they serve as an effective illustration of what makes social engineering attacks so successful. They exploit the fact that human error is all too common. In fact, 80 percent of breaches — BEC or otherwise — are linked to employees simply doing something accidentally. Auto-complete might suggest an incorrect recipient. An email address might be mistyped. An employee might not realize that the legitimate-looking email they are responding to is actually from a scammer.

BEC attacks generally operate by sending an email that appears to be from a senior-level employee or high-value customer asking the recipient to take some action such as approve a payment, transmit client data or otherwise compromise secure information. All it takes is one employee to fail to realize that the email is a scam, and companies can potentially find themselves in serious trouble. Just ask Toyota, a subsidiary of which recently lost $37 million when members of the finance and accounting departments were targeted by scammers posing as one of the auto giant’s business partners. It was the third time in the span of a year that Toyota fell prey to such a scam, highlighting the potentially devastating consequences of such a breach.

With CCPA in effect, breaches like this will come under significantly increased scrutiny. After all, many scammers are more interested in personal information than simple financial gain, and companies must be on the lookout. CCPA establishes steep penalties for noncompliance, with a fine of $2,500 being levied for each violation not rectified within 30 days. And while $2,500 might not sound like a lot, keep in mind that CCPA considers each individual whose data is compromised to be an individual violation. Then consider that the data breach suffered by the American Medical Coalition Agency (AMCA) resulted in the theft of more than 25 million patient records. It doesn’t take an accountant to see that the potential fines involved here would be massive if CCPA had been in effect, and while this breach is one of the largest on record, it underscores just how much damage a talented and ambitious attacker can do.

Solving the Unsolvable: Proper Email Safeguards Can Help Limit Human Error and Prevent CCPA Violations

Human error isn’t new, and preventing it can feel like an unsolvable problem. It’s simply a part of life, and it’s been affecting businesses for as long as they’ve been around. In the past, human error might have been limited to a clerk forgetting to ring up a certain item or maybe an accountant forgetting to carry the one when balancing the ledger. Now, the technological advances that power today’s businesses have enabled BEC scams and similar attacks to exploit those same human weaknesses on a much larger scale – on top of which, people will continue to make “basic” mistakes, like misdirecting an email, even without an attacker trying to trick them into it. Today, having safeguards in place to ensure that proper email security is being adhered to on a human level can be the difference between remaining secure or suffering a serious breach.

The name of the game here is limiting risk. When it comes to email communication, there is some amount of risk inherent in any exchange. Are you certain that the sender is who they are claiming to be? Are you certain you typed the correct email in the “to” field? Are you certain you attached the right document? Employees sending hundreds, or even dozens, of emails each day are not going to run down this checklist every time they send a message.

After a while, people have a tendency to assume they know what they’re doing — and that’s understandable. Do you double-check that every email from your boss is actually from your boss? Or that your autofill function has suggested the correct name? Probably not, because frequently, you’ll find that they are exactly who they are claiming to be or that you have added the correct person. But the number of occasions this isn’t the case is particularly significant when you look at the bigger picture.

Look at it this way: How many emails do you send each day, and how many people are in your organization? Assuming your email output is roughly average, if you work at a company with 500 employees, that means 25,000 emails are being sent by your company per day. Over the course of a year, that expands to as many as 9 million emails. Even if just 0.1 percent of those emails are problematic — responding to a scammer, mistyping an email address, attaching an incorrect document — that leaves between 6,000 and 9,000 opportunities for secure information to make its way into the hands of cybercriminals, potentially costing your company money and most definitely running afoul of the CCPA.

Thankfully, the increased sophistication of tools like machine learning and behavioral analytics are enabling a growing number of organizations to implement intelligent, risk-based protection; secure email and file transfer methods; and smart authentication procedures — all valuable steps that organizations can take to ensure that their email security remains compliant with this new legislation. When applied to email security, contextual machine learning and behavioral analytics can identify anomalous and/or risky behavior before it can cause a potential issue.

This might mean something as simple as identifying an incorrect email address in the “to” field or as complex as scanning attachments to ensure that the correct level of encryption is being used. You know how today’s email clients will scan for the word “attachment” in your email so they can alert you if you forgot to attach the promised document? It’s just like that, but on an infinitely larger, more sophisticated and, ultimately, valuable scale.

As these predictive tools become more familiar with their users, they can more accurately determine what behaviors qualify as abnormal and alert the user that they may be on the verge of making a mistake. Considering the damage email data breaches have been known to cause and the looming threat of CCPA-imposed sanctions, this added level of human-layer protection can prove invaluable to businesses.

The CCPA Provides an Opportunity to Make Needed Security Improvements

Ultimately, the goal of the CCPA is to protect consumers by ensuring that businesses are taking an appropriate level of care when it comes to their personal data. This is an admirable goal. And as cybercriminals become more sophisticated in their attack methods, the new legislation will spur many organizations to make much-needed improvements to their security capabilities. Additionally, while the CCPA will levy major sanctions of organizations that fail to adequately protect consumer data, it is worth noting that incidents of data theft like those experienced by Google, Facebook and AMCA demonstrate the financial impact that these breaches can have even without the CCPA. In reality, businesses should be looking to implement these sorts of security improvements independent of the regulatory landscape.

Smart, adaptable and scalable email security tools can help prevent these problems before they arise, and whether organizations are working to establish regulatory compliance or simply strengthen their ability to combat BEC and other social-engineering threats, email security should be a priority. California may be one of the first states to establish strict data protection laws, but it certainly will not be the last, and as the U.S. takes its first steps down the trail blazed by Europe, businesses wishing to continue conducting business in the country must ensure they have implemented effective, human-layer security to protect the softest targets of all: people.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

ICA Launches Specialist Certificate in Money-Laundering Risk in New Technology

Next Post

MetricStream: The Future of Integrated Risk Management

Tony Pepper

Tony Pepper

Tony Pepper is Co-founder of Egress, where he currently serves as CEO, overseeing all aspects of business growth and innovation. Prior to Egress, Tony held executive management positions at Reflex Magnetics, Pointsec Mobile Technologies and Check Point Software Technologies. A frequent technology and industry speaker, Tony holds a bachelor’s degree in politics and a master’s in software engineering and is a certified BCS Fellow. Tony sits on industry committees including Intellect’s Government Management and Defense & Security Groups.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
woman's hand stopping falling dominos

MetricStream: The Future of Integrated Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT