There is a new California Information Security law that can impact organizations headquartered anywhere in the world. Any company licensing or maintaining any personal data about California residents must now comply with this new law.
Enterprise mobile IT security remains in a state of stunted evolution at many organizations—even as headlines continue to litter our social media and news feeds citing data breaches that spilled millions of records into the wrong hands. Now, California’s Department of Justice has decided that if businesses won’t step up adequately to the challenge of next-generation cyber security, then the world’s sixth largest economy must get more aggressive about regaining ground against the global hacker community. Can you blame California when you consider the dire findings in the 2016 “California Data Breach Report”?
Data Breaches Are Getting Worse
According to the report, breaches with private California resident information increased 26.4% between 2012 to 2015 from 131 to 178 breaches. But the whole story isn’t told until you consider that there was a 99% spike in total records stolen (from 2.6 million in 2012 to 24 million in 2015). That means a whopping 3 in 5 Californians were victims of a data breach in 2015.
Figure 1: Number of Records Breached, 2012-2015
Malware and Hacking Responsible
For once, human error cannot be entirely blamed for compromised records. More than half of breaches in the report were first-degree breaches by hackers carrying out sophisticated, carefully executed attacks:
Malware and hacking accounted for breaches that affected over 44 million records—or 90% of all records breached.
Figure 2: Type of Breach by Number of Records, 2012-2015
Retail, Finance and Healthcare Hit Hardest
High-value private data behind HIPAA, FINRA and other major compliance requirements have been targeted profusely by hackers. The largest data breaches from 2012-2015 assailed several of the U.S. and world’s most recognized brands.
Figure 3: Mean and Median Breach Size, 2012-2015
|Anthem Inc.||10.4 million||2015|
|Living Social||7.5 million||2013|
|UCLA Health||4.5 million||2015|
|PNI Digital Media (Costco/RiteAid/CVS)||2.8 million||2015|
|T-Mobile USA, Inc. (Experian)||2.1 million||2015|
What Does It All Mean in the Immediate Future?
In a recorded August 2016 webinar, “New Legal Requirements for Mobile Security – EMM is Not Optional”, the CSO and CPO (Chief Privacy Officer) at MobileIron help business, risk, IT security and legal stakeholders understand two vital truths about the new statute: 1) Your organization likely does NOT currently comply with this new law 2) To comply, your IT Risk and Security teams must know how to meet the Center for Internet Security (CIS) Controls as mandated by the new law for minimum compliance.
Central to the CIS controls is the much stressed theme of organizations moving from traditional reactive IT security to proactive IT security that does a better job of a) keeping the State of California in the loop about breaches b) defending mobile endpoints across all mobile attack vectors including OS vulnerabilities, malicious apps, risky user behavior and WiFi/cellular network-based threats.
Be Proactive about IT Security… Now, More than Just a Recommendation
Below is one of the stories spotlighted in the MobileIron webinar that may have helped to nudge California into enacting the new Information Security law pushing for proactive IT security:
In 2011, a data breach at Citibank compromised 360,000 records via a website flaw known since 2008. It took Citibank two and a half weeks to remediate the attack during which time, the hacker continued to gather customers’ credentials. A month went by before Citibank notified its customers and the State of California. Citibank’s reactive approach to the data breach spurred California to bring a highly publicized case against Citibank.
Compliance with the new California law through adoption of the CSI Controls means that your organization’s IT security architecture and policy must meet higher standards for mitigation speed and transparency about a breach—not if, but when a breach happens at your organization, a painful new normal. Two fundamentals underlying the CSI Controls are:
- There is no faster mediation speed than in proactively detecting and stopping cyber threats and attacks before they can attempt to exploit.
- Full transparency is not possible to governments and your customers and partners without the ability to gather real-time threat intelligence about all mobile endpoints—including BYOD and CYOD.
The first five CSI Controls directly address these two fundamentals:
- CSC 1: Inventory All Authorized and Unauthorized Devices
BETTER VISIBILITY: CSI recommends supporting this Control via MDM (Mobile Device Management) or an Enterprise Mobility Management (EMM) solution. Skycure MTD (Mobile Threat Defense) is another tool available with EMMs that helps to inventory of security compliant devices, including BYOD, without infringing on user privacy or productivity.
- CSC 2: Inventory Authorized and Unauthorized Software
BETTER VISIBILITY: Similarly to CSC 1, CSI recommends using MDM to inventory apps, enforce app policies and whitelist secure apps. With EMM, Skycure MTD can actively monitor apps, predictively and proactively detecting malware and repackaged apps, and enforcing your policy with BYOD users, who do not want 24/7 invasive VPN tunneling and containerization on their devices.
- CSC 3: Secure configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
BETTER MANAGEMENT: With this Control, CSI wants EMM/MDM to enforce restrictions across all endpoints. Skycure MTD extends policy enforcement across all mobile devices including BYOD, and non-disruptively detects policy non-compliance, ranging from jailbreaks, roots, encryption deactivation, unauthorized app installs and more. Further, Skycure MTD predictively and proactively remediates non-compliance before risky user behavior can trigger an exploit.
- CSC 4: Continuously Assess and Remediate Vulnerabilities
SMARTER WATCHDOGS: CSI recognizes in this Control that your organization must be able to assess mobile endpoints for OS vulnerabilities and malware on a continuous basis like you can for endpoints behind your IT perimeter. EMM with Skycure MTD converts devices into sensors that constantly collect real-time threat intelligence. Skycure further leverages patented products to enact predictive and proactive measures to assess mobile endpoints for yet-to-be-discovered vulnerabilities and zero-day threats, i.e., Crowd Wisdom and Active Honeypot.
- CSC 5: Control Use of Administrative Privileges
SMARTER VISIBILITY: Finally, CSI confronts attacks that use valid credentials with this Control. EMM/MDM can retain visibility for this Control even with mobile users who root or jailbreak their device(s). Skycure MTD predictively and proactively remediates suspicious user behavior regardless of valid credentials, triggering additional Skycure proactive tools to uniquely qualify suspected non-compliance or exploits, thereby minimizing false-positives.
Path to Compliance
The transformation journey to comply with California’s new Information Security law involves two principal lanes:
- Get Proactive (with Speed and Transparency) about Mobile IT Security.
- Make Buy-in and Education Dialogues Painless across Your Organization.
These transformation lanes are intertwined: painless dialogues start by assuring users that getting proactive about mobile IT security, that is, complying with the new law does not infringe on user privacy or user experience (your workforce is free to GO ahead and install that Pokemon GO on their BYOD—but if an employee installs a malware version of Pokemon GO, your mobile IT security had better predictively and proactively defend any data concerning California residents).
Learn more about how MobileIron EMM/MDM and Skycure MTD can make your compliance journey for enhanced speed and transparency painless. Skycure was built from day one for predictive, proactive mobile IT security.
Or speak to Skycure about calibrating your MobileIron EMM/MDM solution for compliance with the new California Information Security law today.