SHIELDing New Yorkers from Cyber Breaches
Ericom Software, developers of the Ericom Shield solution for secure browsing, applauds New York State’s proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which aims to protect the personal information of state residents from data breaches by tightening data security requirements for companies. Of course, we particularly appreciate the title of the act!
Background to the Legislation
In the aftermath of last July’s Equifax breach, which compromised the personal data of 8 million New Yorkers, the State government proposed comprehensive legislation to tighten data-security obligations on companies that handle the personal data of New York residents. What makes this legislation particularly powerful is that since it provides protection for state residents, it applies to out-of-state businesses as well.
Equifax was just one of the latest of many attacks, albeit a massive one. Companies in other industries have fallen victim as well. In 2016, Yahoo announced the biggest data breach in history, affecting more than one billion accounts. Last year, more than 30 companies across other numerous industries—including Hyatt Hotels, Whole Foods Market, Saks Fifth Avenue, Deloitte and even the Securities and Exchange Commission—were forced to admit that they, too, were victims of massive data breaches.
The New York Attorney General’s Office, in fact, reported that it had received more than 1,300 data-breach notifications in 2016, with the number of notifications continuing to increase through 2017 and into 2018.
The SHIELD Act
Until now, New York has had few laws that impose data security obligations on companies, provided that the personal information they handle doesn’t include Social Security numbers. The proposed SHIELD Act will require companies that store personal data to adopt “reasonable administrative, technical and physical protections.” If it passes the state legislature, the new Act will cover companies that collect any sort of personally identifiable information (PII) of New York residents. In case of an actual breach, the Act requires tough public disclosure requirements and broadens the information that companies must provide to consumers.
Non-compliance with the SHIELD Act could be quite expensive. The proposed legislation empowers the Attorney General to sue companies that don’t provide adequate security for the data they handle. Last October, even before the SHIELD Act was proposed, the Attorney General’s office announced a $700,000 settlement with Hilton Hotels after 350,000 credit card numbers were exposed in two separate breaches. The SHIELD Act expands the power of the Attorney General to go after non-compliers, and can result in even more severe and expensive consequences.
Major Cyber Attack Targets
While there are many ways that cyber attackers invade companies’ digital systems to steal information, in recent years, endpoints have become the most common attack surface.
Endpoints – the multitudes of desktop and laptop computers used across companies daily to conduct their business – deal with vast volumes of personal information including credit and health records. From their endpoints, employees now share more information and connect to more outside networks than ever, making them the targets of sophisticated attacks. Hackers target endpoints with phishing and other sophisticated schemes thousands of times every day in an effort to pilfer the data.
Browsing on the Internet is particularly dangerous. It exposes endpoints to attacks that come in many forms—drive-by downloads, cryptojacking, plug-in exploits, ransomware and malicious scripts—and that expose company and citizen data. To safeguard both personal data and business networks, it’s important to understand how to protect endpoints.
Bolstering Your Cyber Security Regime
While the Act has yet to pass, New York Attorney General Underwood just released a Small Business Guide to Cybersecurity in New York State. The guidelines follow IT best practices and are based on establishing a multi-layered perimeter defense:
- Physical Access: Areas where data servers and other equipment that store or access PII are deployed must be secured in locked rooms and restricted areas. These facilities may be accessed only by trusted personnel with keys and cards.
- Network Access: Devices and software that run on company networks, e.g., switches, routers, TAPS, gateways, firewalls, wireless devices and intrusion prevention systems, must be monitored constantly for security gaps.
- Strong Passwords: Enforcing password complexity throughout your organization is simple, yet extremely essential. Long passwords with uncommon words that cannot easily be guessed, as well as the use of unique passwords for different accounts, can ensure the first line of defense of your organization is kept secure.
- Update Software: Security holes in operating systems, applications and databases must be plugged with all current security patches. Don’t wait! Data Leakage Prevention (DLP) systems must keep careful watch over email and other servers to prevent critical, unprotected data from leaving the company via even innocent means such as email attachments, links, and downloads.
- Anti-Virus Programs and Firewalls: Desktops, laptops, printers, scanners, tablets and smartphones are the most frequent targets of cyberattacks. Companies must deploy a litany of anti-virus, anti-spyware, client firewalls and other endpoint-mounted detection and protection systems, and keep them current with the latest threat intelligence.
While these guidelines provide a baseline for prudent IT security, they are reactive in scope. In many cases, malware and cyberthreats are unknowingly welcomed onto a company network when a user clicks on a rogue link in an email or visits a website that’s been corrupted. Moreover, the sophisticated social engineering techniques employed by many hackers make such human errors pretty much inevitable.
In recent years most cybersecurity experts have concluded that, given the rapid proliferation and limitless varieties of malicious code, defending against specific threats is a losing battle. Instead, they recommend that organizations focus on containing attackers’ ability to do damage. An important new technology, Remote Browser Isolation (RBI), was designed with just that purpose in mind.
When a user opens a site on his computer, tablet or phone, RBI actually renders the site in a virtual browser that runs in a temporary container on a remote server or in the cloud. The safe visual representation of the website that is streamed to the user’s device provides a natural, fully interactive browsing experience that is indistinguishable from “regular” browsing. Yet executable code from the site – benign or malicious – never reaches the endpoint: It is confined to the container and destroyed when the user leaves the site.
As the creators of Ericom Shield, we welcome New York State’s SHIELD Act initiative. Adhering to the guidelines and educating businesses and users is an important first step in improving cybersecurity. But we urge the business community to go further by adopting solutions, like Remote Browser Isolation, that protect customer data by keeping malware and ransomware at arm’s length from vulnerable endpoints.