Security Roundup: California's Data Privacy Act, McAfee, BetterCloud, Kudelski
California's data privacy law will impact tens of thousands of businesses globally.
The countdown is on for the “tens of thousands” of businesses that will be required to comply with the California Consumer Privacy Act (CCPA) by Jan. 1, 2020.
At present, just 14 percent of companies are compliant with CCPA and 44 percent have not yet started the implementation process, according to the results of a new survey by TrustArc and Dimensional Research.
The law will impact tens of thousands of businesses globally that have customers or employees located in California, according to TrustArc.
TrustArc’s Dave Deasy
The CCPA applies to any business, including any for-profit entity, that collects consumers’ personal information, that does business in California, and satisfies one or more of the following thresholds: has annual gross revenues in excess of $25 million; possesses the personal information of 50,000 or more consumers, households or devices; or earns more than half of its annual revenue from selling consumers’ personal information.
Of companies that have worked on General Data Protection Regulation (GDPR) compliance, 21 percent are compliant with CCPA, compared to only 6 percent for companies that did not work on GDPR.
We spoke with Dave Deasy, TrustArc’s senior vice president of marketing, about the long and difficult road ahead for businesses impacted by CCPA. The research did not test to determine if some organizations impacted by CCPA were unaware of their obligations, but “our experience from the GDPR revealed some organizations were not fully aware of their compliance obligations until they had customers or partners inquire about their compliance status,” he said.
“Businesses who have prepared to comply with GDPR by creating good data governance practices, records of processing and individual rights procedures will have a head start,” he said. “One of the biggest differences between the GDPR and CCPA is the introduction of restrictions on the sale of personal data. Individuals may now request an accounting of disclosures, including the sale of personal information to third parties and the option to opt out.”
Some 71 percent of companies expect to spend more than six figures to comply with CCPA, while one in five expect to spend more than $1 million to achieve compliance, according to the TrustArc/Dimensional survey. For companies that were not impacted by GDPR, 79 percent will spend more than six figures to comply with CCPA, compared to 61 percent who have worked on GDPR compliance.
“There are a lot of companies that weren’t impacted by GDPR — typically banks, health care, telecoms, utilities or large companies that don’t have presence in EU,” Deasy said. “Now with CCPA, which shares a lot of the breadth of GDPR, those organizations are having to deal with the complexity of the regulations for the first time.
Eighty-eight percent of companies require external help to understand CCPA requirements. Seventy-two percent plan to invest in technology to prepare for CCPA, while 61 percent plan to spend on consulting expertise.
Also, 66 percent of companies need help developing their CCPA privacy plan.
“We are working with MSSPs who are interested in expanding their security services with the addition of managed privacy services,” Deasy said. “These include services like readiness planning, privacy risk assessments and development of processes to manage consumer rights requests.”
Under the CCPA, businesses are subject to civil action by the California Attorney General’s Office and can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation, if not cured within …
… 30 days of being given notice of such violation, he said.
The law also provides a private right of action to California residents where their personal information is subject to unauthorized access, theft or disclosure, Deasy said. If the attorney general’s office declined to bring an action, residents could bring a private action, where businesses would face paying between $100 to $750 per resident or incident, regardless of whether actual damages are shown, he said.
McAfee Extends Mvision Cloud to Microsoft Teams
McAfee has unveiled an integration with Microsoft Teams to secure and manage collaboration in the cloud.
McAfee Mvision Cloud for Microsoft Teams is an extension to the already available security solution that McAfee Mvision Cloud has for Microsoft Office 365. It complements Team’s capabilities by using an API-based cloud-native approach that allows IT teams to enforce data loss prevention (DLP) policies and collaboration controls, contextual access control, address threats from insiders and compromised accounts, audit all user activity and secure corporate data as users collaborate in the cloud.
McAfee’s Vittorio Viarengo
With this new tool, companies can answer employees’ requests for a collaboration platform, while enforcing the security capabilities they need to keep data safe.
Vittorio Viarengo, vice president of cloud at McAfee, tells us if McAfee partners are authorized to sell Office 365 and McAfee products, this will “absolutely help them.”
“MS Teams requires an (Office 365) E-5 license and most customers have E-3,” he said. “Therefore, this is a great upgrade deal to add advanced security features to Office 365. Partners who are consultative may wrap cloud-journey consulting with this and may expand the deal even further into other cloud access security broker (CASB) services. Additionally, partners who love to do DLP initiatives can use McAfee device to cloud and it can easily hit all customer pain areas for DLP. It is also helpful for partners who do threat/security operations (SecOps). The activity monitoring and incident management workflows can help customers mature their SecOps disciplines in the cloud.”
BetterCloud: High Percentage of IT, Security Pros Feel Vulnerable to Insider Threats
Forget outside threats, 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions such as Google Drive, Gmail, Dropbox and more.
That’s according to a new report by BetterCloud. It surveyed nearly 500 IT and network security professionals from leading enterprise organizations.
Some 62 percent of respondents believe the biggest security threat comes from well-meaning, but negligent end users. Forty-six percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications make them the most vulnerable.
Forty percent of respondents believe they are most vulnerable to exposure of confidential business information, such as financial information and customer lists. And only 26 percent of C-level executives say they’ve invested enough to mitigate the risk of…
… insider threats, versus 44 percent of IT managers.
BetterCloud’s Emily Cataldo
Emily Cataldo, BetterCloud’s vice president of alliances, tells us the report shows that organizations need assistance managing and securing their SaaS apps.
“This is a huge opportunity for partners,” she said. “We’ve found that many customers, in addition to seeking cloud advisory services, are also turning to partners for advice and best practices around security and compliance.”
One of the most surprising findings was that 95 percent of companies using a CASB still feel vulnerable to insider threats, Cataldo said.
“The SaaS stack continues to grow in the enterprise and most companies are not equipped to deal with the data sprawl and complexity of the application infrastructure itself,” she said. “This is something we uncovered in the very early days of BetterCloud, but it’s surprising to see that so many IT and security professionals are still in the dark about how to handle this major shift.”
In today’s digital workplace, people are interacting with others and sharing data freely both inside and outside the organization, Cataldo said.
“IT and security professionals are losing control because there’s no easy way to monitor and understand these interactions,” she said.
Kudelski Teams Up with Hosho for Blockchain Security
Kudelski Security has partnered with Hosho, a global blockchain security and smart contract auditing provider, to extend the capabilities of its recently launched Blockchain Security Center (BSC).
The partnership makes the companies’skill sets, services and intellectual property (IP) available to help organizations better secure their use of blockchain and distributed ledger technology (DLT).
Kudelski Security’s Scott Carlson
Scott Carlson, Kudelski‘s head of blockchain security, tells us cybersecurity has not been put first within the blockchain and crypto ecosystems.
“By forming this partnership, we open up the blockchain ecosystem not only to traditional security services … but also the beginning of new channels in which our security partners can benefit,” he said. “Enterprises and startups in the blockchain, crypto and IoT verticals must improve their security as they seek to change global practices, deliver guaranteed integrity or create new solutions with unseen mathematical algorithms.”
Kudelski and its partners can launch blockchain-ready features within existing security products that analyze, monitor or respond to attacks, Carlson said.
“For example, a crypto exchange is almost always just software, algorithms, some hardware components and public cloud,” he said. “By looking at these new business models with a focused security lens, opportunities should show up within each layer of the implemented stack. A ‘blockchain project’ does not just have blockchain, it has most other major technology components which should no longer be ignored.”
The partnership with Hosho marks the first time a global cybersecurity company has partnered with a traditional blockchain-focused company, Carlson said.
“This partnership expands the advisory, full-stack security, and operational capabilities of Kudelski’s expertise with the blockchain advisory and smart contract expertise of Hosho,” he said. “We have put a lot of thought into how cyber security needs can be layered on top of solutions that utilize digital ledger, IoT, and blockchain capabilities either in a startup or within an enterprise. Enterprises especially can feel confident knowing that by trusting Kudelski with their security advisory needs, we will have mature offerings ready to execute quickly and effectively.”
Read more about:
MSPsAbout the Author
You May Also Like