Data breaches hit 43% of companies in the past year, according to a study by the Ponemon Intitute. You may have heard of the data breach that put 56 million Home Depot credit cards at risk. However, you probably didn’t hear about your company’s ace salesman losing his USB memory stick at a trade show, with all of your pricing data, or know about the company credit card information your administrative assistant emailed to reserve a meeting room. Now strangely your competitors seem to be priced more competitively, and your credit card was just used to purchase $99 worth of gems in the Clash of Clans online game!
The above scenarios may be fairly easy to work through. You can continue to sell on your superior value, and you can get a charge back on your credit card. But, what if client payment information, confidential patient data, or sensitive personal information were lost or compromised? What is your exposure, financial, reputation, legal or otherwise?
Data breach isn’t just a concern for the big guys, it is a concern for everyone! Breaches can be categorize into 3 general groups.
1.) External breaches; from hackers, viruses, theft of equipment, etc.
2.) Malicious insider activity; employees who are using data for their own gain, embezzling, stealing or selling client lists or trade secrets, or exposing data in revenge for a perceived slight.
3.) Non-malicious insider error; employees (or contractors and vendors) who expose sensitive information by inadvertently losing company property with sensitive data on it (Laptops, phones, tablets, memory sticks), unencrypted files, misaddressed emails, etc.
Nothing is going to make you 100% secure, but steps can be taken to minimize the risk to near zero. With proper precautions you can make going after your data extremely difficult.
External breaches can be minimized by having a layered security system consisting of firewall, anti-virus, anti-malware, spam protection, content filtering and robust password policy.
Malicious internal breaches are a little tougher. You’ve brought in someone who you trust to be working on your behalf, so you have provided them unfettered access to your data. Some things to mitigate risk are; 1.) Ensure employees have access only to data that is pertinent to their job. 2.) Have written policies that alert potential sneaks that there are repercussions for misuse of company data. 3.) Establish procedures that ensure work is cross checked. A common example is having a different person reconcile your bank statements than the person who writes your checks.
Non-malicious internal breaches often stem from ignorance, incompetence or laziness. There are various levels of coaching and training that can mitigate risks stemming from those traits. Additionally, there are technologies, such as encryption, email monitoring, and web filtering that can help overcome some of our weaker human tendencies.
Once you have a plan in place to diminish the chance of a data breach, periodic review of policies should be undertaken. When a breach, or near breach, occurs update them immediately. Review them annually (at least) and plug any new holes that have appeared.
If a breach occurs, what do you do? Following are some general steps that outline a comprehensive plan. Depending on the nature of the breach some may not be applicable, or the order should be shuffled:
- Discover the breach
- Assess the scope and remediate the cause. Stop the bleeding!
- Assemble an internal response team
- Contact law enforcement (if applicable)
- Employ vendors: Forensics specialist, data breach resolution expert, legal counsel, PR firm, etc.
- Begin notification. Purchase identity theft protection if applicable
- Make public announcement and launch website for breach information
- Mail/email notifications
- Respond to inquiries
- Resume business as usual
To help bear the brunt of mitigation, limit your financial and legal exposure, and get your network back in working order, you should consider data protection and cyber liability insurance. In addition to supply financial remuneration for expenses incurred, many insurance companies provide professional services to help with the above remediation steps.
Not sure where to start? Contact Erlach Computer Consulting for a security consultation.