With the CCPA now in effect, CISOs must understand the various ways a data breach can occur – chief among them: human error. Egress founder and CEO Tony Pepper explains how human behavior is the biggest complication when it comes to CCPA compliance and what can be done about it.
After nearly two years of waiting, the California Consumer Privacy Act (CCPA) has officially entered its enforcement phase. Undeterred by some businesses claiming that the COVID-19 crisis has affected their ability to bring their systems into compliance with the new law, the California Attorney General’s office issued its final guidelines in early June and stated that it expects those affected to be prepared for enforcement on schedule. In truth, the law has been in effect since January 1, 2020, but the six-month delay in enforcement was granted by the California AG’s office to give organizations the time they needed to shore up their compliance plans.
With the delay now over and businesses staring down the very real possibility of legal action, CISOs must grapple with the challenge of protecting not just their organization’s data, but customer data as well. To avoid the substantial fines and significant reputational damage that a CCPA violation would likely incur, it is critical for business leaders to understand the many ways a data breach can occur. Unfortunately, email remains an extremely popular vector for attackers, and one of the most common contributing factors to email-based breaches is human error — a notoriously difficult problem to solve. Simply put, people make mistakes, like falling for a phishing scam or accidentally copying the wrong person on an email. Fortunately, the technology exists today to mitigate the potential damage from those errors, but leaders must be willing to take the necessary steps.
Understanding the CCPA and the Cost of Noncompliance
It is critical for businesses to understand that the CCPA applies not just to businesses based in California, but to any company of a certain size operating within its borders. Given that California boasts a GDP that would make it the world’s fifth-largest economy, it is safe to say that most companies operating on a national or international scale are almost certainly transacting businesses within the state. And although the CCPA is currently the strictest privacy law on the books, other states appear likely to follow California’s example with laws of their own, meaning that even companies without a presence in California would be wise to keep one eye on the future and begin moving toward CCPA compliance.
The CCPA largely deals with transparency, offering individuals the right to know what data is being collected from them, as well as what is being done with that data, and providing opportunities to access that information and/or delete it. But it also contains penalties for the theft or unauthorized disclosure of nonencrypted personally identifiable information. In practical terms, this means that businesses can be penalized for failing to effectively protect the personal information they have gathered from their users or customers. In addition to the possibility of legal action taken by the victims, the CCPA prescribes a penalty of up to $2,500 per violation (a number that rises to $7,500 if the violation is deemed to have been intentional), and in this case, “per violation” means “for each record compromised.” Given that an average data breach in the United States today involves the compromise of more than 32,000 records, this means that a single accidental breach could potentially cost a company over $80 million in CCPA penalties alone.
This means that businesses must not only establish a mechanism for users and customers to access and interact with their own data, but also ensure the data remains protected from malicious, intentional and even accidental breaches. With breaches expanding each year in both number and scale (and showing no sign of slowing in 2020), the CCPA is entering enforcement at a time when many businesses are already grappling with the need to address this growing problem. This is where the problem of error-driven breaches has left many firms searching for a solution.
Human Error Remains a Major Breach Driver
Human error is, by its very nature, a notoriously difficult problem to solve. It’s so integral to the human experience that we’ve developed no shortage of aphorisms meant to express that very sentiment: “Everyone makes mistakes,” “to err is human.” Unfortunately, cybercriminals know those sayings as well and have taken them to heart. This year’s Verizon Data Breach Investigations Report (DBIR) highlighted the fact that breaches driven by errors like misconfigurations or misdirected emails are a growing problem, and specific types of social engineering-based attacks such as phishing and business email compromise (BEC) have become increasingly common in recent years.
BEC attacks can come in a variety of different forms, but invoice scams and spear-phishing attempts are among the most common. Generally, these attacks are carried out from a legitimate-seeming email address asking an employee to transfer funds, enter personal or confidential information or take some other damaging action. A successful BEC attack only needs to work once: All it takes is one inattentive employee who fails to realize that the message is illegitimate. Once the funds have been transferred or the privileged information has been stolen, it is almost impossible to put the proverbial genie back in the bottle. BEC scams have become such a boogeyman that, late last year, the FBI issued a public service announcement warning businesses that in just under six years, BEC scams have cost companies in excess of $26 billion. This staggering number highlights the damage that can be done by even the simplest mistake, and the implementation of CCPA will only make these breaches more costly.
Perhaps even more concerning for businesses is the fact that CCPA is entering enforcement during a time of upheaval, with organizations across the globe still grappling with the necessity of increased remote work. Unfortunately, cybercriminals have seized upon the COVID-19 pandemic as an opportunity, electing to redouble their efforts rather than let the world catch its breath. Recent research reveals that attackers have prioritized email as an attack vector during the pandemic, and a report from Google found a 350 percent rise in phishing attacks during the first month of the lockdown alone. Recognizing the fact that an increased number of employees are working under unfamiliar conditions, sometimes distracted by children or pets and without easy access to their co-workers, cybercriminals have stepped up their attempts to invoke and exploit human error. But the question remains: how can businesses protect themselves?
A Modern Solution to an Age-Old Problem
Confronted with the fact that human error is the driver behind many types of breaches, there is a temptation among even security professionals to throw up their hands in frustration. After all, firewalls, antivirus software and other tools can be improved. But how do you begin to solve the problem of simple mistakes? While effective employee training is an important part of the solution, all the seminars and training sessions in the world can’t make an employee pay full attention 100 percent of the time. Lapses happen. People get distracted. And even the world’s most conscientious employee is not immune to copying the wrong person on an email or falling for a particularly convincing spear-phishing email. Helping people recognize the signs of a scam is an important first step, but it isn’t enough.
Fortunately, advancements in machine learning have allowed organizations to create a more effective safety net for their employees. One of the most insidious things about error-driven breaches is that the employee may not even be aware an error has occurred. Worse still, even if they are aware, they may be hesitant to report their mistake out of fear of repercussions. A technological safety net can alleviate both problems. The advent of contextual machine learning has enabled organizations to implement technology capable of learning what constitutes normal behavior for employees—who they typically exchange emails with, what the content of those emails generally includes, what types of information or files are exchanged, etc. Consequently, this allows the technology to identify behavior that does not fall within those typical patterns and raise a red flag.
Any communication comes with inherent risks, and email is no exception. But few employees have the time (or the patience) to double- and triple-check every email addressed attached to each message or verify the contents of every attachment. However, with the help of contextual machine learning, an employee might receive an alert telling them they are about to send confidential information to an unfamiliar email address, leading the employee to realize that what they thought was their boss’s address in fact belongs to a scammer. Rather than rely on employees to self-report, this type of safety net enables those employees to correct their own mistakes before they are even made.
The sophistication and value of this type of behavioral analytics should not be underestimated, and the evolution of this technology has enabled organizations to more effectively secure their email and file transfer methods, implement smart authentication procedures and adopt a more risk-based protection stance. These are all incredibly valuable when it comes to maintaining CCPA compliance, notably because they enable problems to be dealt with before they occur, rather than focusing on the cleanup after a breach has already happened. The addition of human layer protection, specifically designed to prevent against those human mistakes employees make every day, has the potential to be a game-changer for organizations searching for ways to shore up their defenses against one of today’s most common breach vectors.
Moving Forward Under the CCPA
The fact that CCPA enforcement has coincided with the global COVID-19 pandemic may feel overwhelming to some, but the truth is that the need for stronger data protection has not changed. Whether employees are working from home or from within a corporate office, mistakes happen. Human error has been a driving force behind breaches for a long time, and identifying ways to combat the problem should be a priority for businesses independent of the CCPA. The growth of BEC attacks and the prevalence of phishing scams during the COVID-19 lockdown serve only to highlight the existing issue.
Fortunately, today’s businesses are in a better position than ever to combat this longstanding problem. The growing sophistication of behavioral analysis technology, driven by advancements in machine learning, has enabled organizations to provide their employees with the means to self-correct minor errors before they can become major breaches. In a world where something as simple as a misdirected email can lead to major CCPA penalties or become a multimillion-dollar breach, it is increasingly critical for businesses to put human layer security in place to protect their most vulnerable asset: their people.