In a recent conversation with CDS, Cody Breunig, privacy and digital forensics expert, discussed the importance of data security and the role of a gatekeeper in ensuring the protection of sensitive information at his organization.
Cody brings a rich background of military service and law enforcement to the data security world. At 17, he joined the U.S. Army. After completing his service, he entered law enforcement as a police officer, eventually became a forensic investigator focusing on cybercrimes, started a cybercrimes unit, and joined the Secret Service electronic crimes task force. For the past seven years, Cody has been the director of privacy and digital forensics at WM.
Key Takeaways:
- Everyone has a legal and ethical duty to collect and handle data responsibly.
- The consequences of a data breach—including financial loss and reputational damage—can be massive and far reaching.
- Organizations need a clear understanding of the data they collect, where it is stored, and the security protocols in place.
- Organizations should develop a data security mindset, a culture of data protection, and educate employees about potential risks.
“I’m an old military guy, I like a rally point for everything. So, whether that rally point is outside counsel or wherever you’re going to load the data, I’d like it to all go to a central point where all the security elements can be put in place.”
From his unique perspective, Cody offered practical advice for organizations to start building a strong data protection foundation, including identifying the data collected, understanding its storage and security, and controlling its flow downstream.
How has your military career and your investigative experience affected your mindset regarding data security?
My mindset is very much service- and duty-orientated. We have a mission, we have a reason for existence, and that reason to me is to serve others. For me, it’s been a move from the military and law enforcement into the cyber side of things. No longer do I think I’m going to get in a fight on the streets, but do I think that I’m going to defend our organization? Yes, especially in today’s world where thousands of breach attempts happen every single day. My background has definitely shaped how I handle my daily duties.
How has your role as gatekeeper at Waste Management evolved?
A gatekeeper isn’t one person. When an organization becomes large, it’s important to have a dedicated team to put processes and controls in place. As a large company, we spin up new ideas all the time. However, we need to understand that somebody doesn’t just run with that idea and put it into place without putting it through a common risk assessment. It’s important that we have those controls in place in all the different areas within the company, and all areas need to understand those controls.
When I started at Waste Management seven years ago, we didn’t have the regulations that we do today. We had GDPR on the horizon, but we didn’t have the amount of privacy regulations in place today. Everyone’s aware of many of the different privacy regulations—California, a number of other U.S. states, Canada—all have different privacy regulations. India just updated some privacy regulations. You’ve got regulations all over the place, and it’s important to understand where we have data. Is there a regulation there we don’t even know about that tells us how we should be handling data?
So it’s really important to have that understanding. It was hard to figure out how to put everything in place, bring everything together, and put all the controls in place because we’re such a big organization. But the mindset was there because it goes back to the ethical standpoint. This is something we have a duty to do so we’re going to do it. Now we have an even higher burden because the law says we should do it. So now we’ve got two great reasons why we’ve got to do it.
When setting up a gatekeeping team, what’s the most important thing to do first?
It would be overwhelming to come in and figure this out, particularly if nothing like this exists in the company. Don’t try to boil the ocean to begin with. You’re never going to get there. I think it boils down to a couple of questions:
- What data are we collecting? Are we collecting data from our employees? Are we collecting data from customers? Are we collecting data from other companies? Where are we collecting that data? That data could be a wide range of things—biometrics, images, actual data, and protected data like our Social Security numbers and dates of birth. Customer data such as when you service their accounts, payment data, and even passwords or challenge questions customers might use. All of that is important data.
- Where do we put that data? Is it stored in-house, in Microsoft, in Office 365? Is it stored with the vendors? Is it stored in the cloud? Is it encrypted? How is it sitting at rest? What is it doing? What security protocols are around it? Where does it flow downstream? What do we do with it from there? Then we can start figuring out the security protocols to put in place. Is it available to the entire company? If so, what do they do with it? Do they have the ability to send it out all over the place?
We want to control our data, so we’ve got to have a process around that. Do we set permission protocols, security protocols based on the job role of somebody to be able to access that data? Hopefully so, that’s a standard. It behooves us to protect ourselves to start limiting those roles of who can access the data. Once you start limiting that, it’s easier to control the flow of data downstream. Start out answering just those couple of questions.
“Knowledge is power and knowledge gives people the ability to understand things. So the more we give to our employees, the more we empower them to make wise decisions.”
Does the average person take safeguarding their data seriously enough?
I probably take that sense of responsibility more seriously than many do. I think everyone should take it seriously, especially in this day and age, when you can’t go anywhere without being on some sort of electronic device or being recorded. You go into the supermarket and the business is pinging your location within the store to see what you stand in front of the most. The reality is data is constantly being collected about us.
I think of all the times that I’ve gotten the letter in the mail that from X, Y, Z agency of how my data’s been found or compromised. We toss those letters aside, but the reality is data breaches can have extremely detrimental effects for some people. It may not be that big of a deal for the average person who has the data taken. Maybe more of an annoyance to call the bank and get things worked out.
But if you’ve ever been the victim of fraud—I have, and I’ve worked fraud cases way back in the day as a detective—you know it can ruin someone’s life. As human beings, we have a duty to watch out for our brother. If a person trusted us to take care of their data, our duty is to be cognizant and keep track of it.
I’ve seen data produced and turned over to the other side, but completely mishandled from there. We’ve had stuff appear on public facing websites that included sensitive information about employees because it was turned over as it was supposed to be, and the person published some of that information to a public site. They had a duty to put some information out, but they posted all sorts of bad information.
The duty doesn’t just stop when it leaves your organization. You’ve got to ensure that the right contractual arrangements are in place and you’re doing everything within your power to control the downstream movement of that data to ensure that you’ve at least done what you can to keep it secure, even if it’s not your organization.
Do most people look out for scams now, or do they still intrinsically trust others?
I’m not going to say everybody, but humans tend to be trusting individuals a lot of the time. They take people’s word because they don’t want confrontation. I’m not saying people shouldn’t be trusting—what I am saying is make people verify that what they’re doing is accurate.
Test your groups by sending a phishing email and seeing who actually responds to it. Say the last time you sent this out you identified some key players clicked on the phishing experiment nine out of 10 times—maybe you need to target them for some really specialized education. Knowledge is power and knowledge gives people the ability to understand things. The more we give to our employees, the more we empower them to make wise decisions.
A real breach scenario where people truly are harmed can have devastating effects on a company. We’ve all seen in the news, billions with a B. And outside of that, the reputational harm that comes with it—” I don’t want to go to that service provider because they have recently been in the news for losing data.”
From a company standpoint, we’ve specifically chose not to go with vendors because they have a past history of breaches and not keeping their data secure. Breaches are devastating to a company, not just financially, but also branding-wise, which obviously rolls back to the financial side. You’ve got people at the top who recognize that, and it’s very important because they see the devastating effects of not being secure. It only takes one time.
“When it comes to security, everybody needs to have that mindset of if it were my data, how would I want it to be handled? Let’s pretend for a moment that this is my data, my spouse’s data, my child’s data, how would I want it handled? That is the litmus test that I like to use.”
Does it take a special skill set or POV to be a data steward?
Everyone is suited to be in this. Everybody plays a role. We as people are the frontline of defense for everything. The most susceptible area in any organization is its people because we can protect our systems. But what can be challenging to protect is a person from within our systems accidentally doing something and exposing something. When it comes to security, everybody needs to have that mindset of if it were my data, how would I want it to be handled?
Let’s pretend for a moment that this is my data, my spouse’s data, my child’s data, how would I want it handled? That is the litmus test that I like to use. “Should we really be collecting this data? How would I feel if somebody was collecting this data? Is there really a business reason to collect it?” For some organizations, there may not be a business reason why they’re collecting it. Say that data gets breached and now people are suffering because we collected something that we didn’t even need. The last thing you want to do is collect data you don’t even need.
How can organizations develop a data security mindset?
Whether we’re talking about the litigation hold process or data security in general, it’s a mindset not developed instantly. A mindset is something that’s put in place over time, and it’s repetitive. Coming from the military side of me, it takes a thousand repetitions or more before something becomes automatic.
Organizations have to make security an everyday thing, a mindset. Every email you get, everything you do, you need to be cognizant that you’ve got to be careful with it. We can’t just be putting credit card numbers down and leaving them out for general consumption. We’ve got to be careful about who we talk to because when you answer the phone, it’s really easy to get tricked.
The bigger your organization is, the easier it is to trick people. I could just pretend to get on a call. I could call up a random company and say, “I’m so-and-so with cybersecurity group, and we’ve noticed an issue going on.” I speak plain English, I can probably speak their language. I’ve got the ability to make people calm down. “Yeah, I know this is a pain. We just noticed this. Have you noticed some issues going on?” You can plant these little seeds in people’s heads and make them susceptible. That is where you can gain access.
I have no problem when I make calls and somebody asks, “I’m sorry, who are you?” Great. I’m glad you’re asking these questions. “Go look me up in active directory, here’s who I work with. Here’s who your boss is. I work with them regularly.” That is very important. Without that mindset, people ultimately are going to be malleable and susceptible to anybody who might be out there trying to do harm to an organization.