Thursday, February 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

With the CCPA Now in Effect, Organizations Must Improve Email Security Capabilities

Less Than Half of Businesses Are Ready to Comply

by Tony Pepper
February 7, 2020
in Data Privacy
man pulling back button down shirt to reveal target underneath

The CCPA’s reach extends far outside of California, and a huge proportion of businesses are still out of compliance. Egress CEO Tony Pepper shares a key vulnerability organizations should address immediately to close that gap.

On January 1, 2020, the California Consumer Protection Act (CCPA) went into effect with much fanfare. The new law, intended to enhance privacy rights and consumer protections for residents of the state, implements new individual data access and erasure rights, ensures the right for individuals to opt out of data selling and mandates stronger information security — among other measures. Modeled loosely on the European Union’s GDPR, the CCPA represents the strongest such law in the U.S.

The CCPA applies to any companies conducting business in California that either meet certain size thresholds or derive more than 50 percent of their annual revenue from the sale of consumers’ personal information. Bear in mind: This is not just for companies based in California; it applies to all companies doing any type of business in the state. As a result, the CCPA will have major ramifications for companies throughout the world that wish to continue operations involving California citizens. With other states expected to follow in California’s footsteps and enact stronger data protection laws of their own, it is critical for businesses operating in the U.S. to prepare themselves for this new reality. As businesses worked to achieve CCPA compliance, email security emerged as a critical component of any comprehensive data protection plan.

The Rise of BEC Scams Highlights One Vulnerability Likely to Run Afoul of CCPA

One area where the impact of CCPA will be keenly felt is email security. Once an organization’s data has been mapped and classified as called for under the new law, it is important to put systems in place to ensure that data is protected by design. This means more than having effective firewalls or putting systems in place to alert security teams to potential network intruders. In today’s world, the most effective cyberattacks are often the ones that target the most vulnerable part of any organization: its people.

Business email compromise (BEC) attacks, phishing scams and other social engineering-based attack methods are becoming an increasingly popular attack vector among cybercriminals. In fact, this September, the FBI released a public service announcement containing some startling numbers: Between October 2013 and July 2019, businesses lost an estimated $26 billion to BEC scams alone. These losses have not been limited to large organizations, either; the FBI is careful to note that the scams target small, medium and large businesses and even personal transactions.

BEC scams have been reported in all 50 states, as well as 177 other countries, with fraudulent transfers making their way to at least 140 different countries. One fraudster based in Lithuania recently pleaded guilty to defrauding Google and Facebook out of roughly $123 million — a staggering number that underscores the outsized financial impact that these scams can have, even on the companies assumed to be the most technologically savvy. These scams represent a widespread, global issue that businesses of all sizes need to be aware of and protect themselves against.

Of course, BEC scams are just one example of how cyberattacks target human fallibility, but they serve as an effective illustration of what makes social engineering attacks so successful. They exploit the fact that human error is all too common. In fact, 80 percent of breaches — BEC or otherwise — are linked to employees simply doing something accidentally. Auto-complete might suggest an incorrect recipient. An email address might be mistyped. An employee might not realize that the legitimate-looking email they are responding to is actually from a scammer.

BEC attacks generally operate by sending an email that appears to be from a senior-level employee or high-value customer asking the recipient to take some action such as approve a payment, transmit client data or otherwise compromise secure information. All it takes is one employee to fail to realize that the email is a scam, and companies can potentially find themselves in serious trouble. Just ask Toyota, a subsidiary of which recently lost $37 million when members of the finance and accounting departments were targeted by scammers posing as one of the auto giant’s business partners. It was the third time in the span of a year that Toyota fell prey to such a scam, highlighting the potentially devastating consequences of such a breach.

With CCPA in effect, breaches like this will come under significantly increased scrutiny. After all, many scammers are more interested in personal information than simple financial gain, and companies must be on the lookout. CCPA establishes steep penalties for noncompliance, with a fine of $2,500 being levied for each violation not rectified within 30 days. And while $2,500 might not sound like a lot, keep in mind that CCPA considers each individual whose data is compromised to be an individual violation. Then consider that the data breach suffered by the American Medical Coalition Agency (AMCA) resulted in the theft of more than 25 million patient records. It doesn’t take an accountant to see that the potential fines involved here would be massive if CCPA had been in effect, and while this breach is one of the largest on record, it underscores just how much damage a talented and ambitious attacker can do.

Solving the Unsolvable: Proper Email Safeguards Can Help Limit Human Error and Prevent CCPA Violations

Human error isn’t new, and preventing it can feel like an unsolvable problem. It’s simply a part of life, and it’s been affecting businesses for as long as they’ve been around. In the past, human error might have been limited to a clerk forgetting to ring up a certain item or maybe an accountant forgetting to carry the one when balancing the ledger. Now, the technological advances that power today’s businesses have enabled BEC scams and similar attacks to exploit those same human weaknesses on a much larger scale – on top of which, people will continue to make “basic” mistakes, like misdirecting an email, even without an attacker trying to trick them into it. Today, having safeguards in place to ensure that proper email security is being adhered to on a human level can be the difference between remaining secure or suffering a serious breach.

The name of the game here is limiting risk. When it comes to email communication, there is some amount of risk inherent in any exchange. Are you certain that the sender is who they are claiming to be? Are you certain you typed the correct email in the “to” field? Are you certain you attached the right document? Employees sending hundreds, or even dozens, of emails each day are not going to run down this checklist every time they send a message.

After a while, people have a tendency to assume they know what they’re doing — and that’s understandable. Do you double-check that every email from your boss is actually from your boss? Or that your autofill function has suggested the correct name? Probably not, because frequently, you’ll find that they are exactly who they are claiming to be or that you have added the correct person. But the number of occasions this isn’t the case is particularly significant when you look at the bigger picture.

Look at it this way: How many emails do you send each day, and how many people are in your organization? Assuming your email output is roughly average, if you work at a company with 500 employees, that means 25,000 emails are being sent by your company per day. Over the course of a year, that expands to as many as 9 million emails. Even if just 0.1 percent of those emails are problematic — responding to a scammer, mistyping an email address, attaching an incorrect document — that leaves between 6,000 and 9,000 opportunities for secure information to make its way into the hands of cybercriminals, potentially costing your company money and most definitely running afoul of the CCPA.

Thankfully, the increased sophistication of tools like machine learning and behavioral analytics are enabling a growing number of organizations to implement intelligent, risk-based protection; secure email and file transfer methods; and smart authentication procedures — all valuable steps that organizations can take to ensure that their email security remains compliant with this new legislation. When applied to email security, contextual machine learning and behavioral analytics can identify anomalous and/or risky behavior before it can cause a potential issue.

This might mean something as simple as identifying an incorrect email address in the “to” field or as complex as scanning attachments to ensure that the correct level of encryption is being used. You know how today’s email clients will scan for the word “attachment” in your email so they can alert you if you forgot to attach the promised document? It’s just like that, but on an infinitely larger, more sophisticated and, ultimately, valuable scale.

As these predictive tools become more familiar with their users, they can more accurately determine what behaviors qualify as abnormal and alert the user that they may be on the verge of making a mistake. Considering the damage email data breaches have been known to cause and the looming threat of CCPA-imposed sanctions, this added level of human-layer protection can prove invaluable to businesses.

The CCPA Provides an Opportunity to Make Needed Security Improvements

Ultimately, the goal of the CCPA is to protect consumers by ensuring that businesses are taking an appropriate level of care when it comes to their personal data. This is an admirable goal. And as cybercriminals become more sophisticated in their attack methods, the new legislation will spur many organizations to make much-needed improvements to their security capabilities. Additionally, while the CCPA will levy major sanctions of organizations that fail to adequately protect consumer data, it is worth noting that incidents of data theft like those experienced by Google, Facebook and AMCA demonstrate the financial impact that these breaches can have even without the CCPA. In reality, businesses should be looking to implement these sorts of security improvements independent of the regulatory landscape.

Smart, adaptable and scalable email security tools can help prevent these problems before they arise, and whether organizations are working to establish regulatory compliance or simply strengthen their ability to combat BEC and other social-engineering threats, email security should be a priority. California may be one of the first states to establish strict data protection laws, but it certainly will not be the last, and as the U.S. takes its first steps down the trail blazed by Europe, businesses wishing to continue conducting business in the country must ensure they have implemented effective, human-layer security to protect the softest targets of all: people.


Tags: CCPA/California Consumer Privacy Act
Previous Post

ICA Launches Specialist Certificate in Money-Laundering Risk in New Technology

Next Post

MetricStream: The Future of Integrated Risk Management

Tony Pepper

Tony Pepper is Co-founder of Egress, where he currently serves as CEO, overseeing all aspects of business growth and innovation. Prior to Egress, Tony held executive management positions at Reflex Magnetics, Pointsec Mobile Technologies and Check Point Software Technologies. A frequent technology and industry speaker, Tony holds a bachelor’s degree in politics and a master’s in software engineering and is a certified BCS Fellow. Tony sits on industry committees including Intellect’s Government Management and Defense & Security Groups.

Related Posts

finger breaking digital padlock

SOC 2 Compliance: Why You Should Care

February 19, 2021
side view of earth with network concept

A Boom in Privacy Regs Complicates Compliance

February 10, 2021
hand holding multicolored balloons outside

Happy Data Privacy Day!

January 28, 2021
COVID-19 tracking app showing location and infected people on blue background

Prioritizing Privacy During a Pandemic

January 4, 2021
Next Post
woman's hand stopping falling dominos

MetricStream: The Future of Integrated Risk Management

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights