Today’s businesses need to find ways to protect themselves against data breaches. Beyond that, they also need to have a plan they can implement in response to them when they do occur. With this in mind, here are a few important tips you should always keep in mind to protect yourself, as well as your customers, employees, and brand.
By Evan Morris
Look beyond IT Security When Assessing Your Company’s Data Breach Risks
The best way to eliminate threats throughout your organization is for your security to reach beyond your IT department. Your employees play a large role in keeping your company safe – even when they aren’t in an IT role. This is because your employee exit strategies, remote project protocol, and both on- and off-site data storage practices all play a major role in whether or not your company will succumb to a major threat. Of course, these aren’t the only places you’ll find such threats, nor can you simply stop by evaluating these areas. You must work to create new policies such as to keep monitoring if you have BYOD policies and procedures as well as physical safeguards that will protect you once you find your company’s vulnerabilities. Even then your job isn’t done because you must follow through with the changes you make and make sure that everyone else does so as well.
Establish a Comprehensive Data Loss Protection Plan That Will Enable Decisive Action and Prevent Operational Paralysis When a Data Breach Occurs
Kroll says the efforts you put forth here will show your consumers and regulators that your business takes security data security threats so seriously that you’ve taken anticipatory steps to help you address them. Don’t stop by creating a plan – even setting it forth isn’t enough. You’ll want to actually you’re your firm’s management structure practice the plan so you’re certain that everyone knows what to do when a breach does occur.
Educate Employees about Appropriate Handling and Protection of Sensitive Data
One of the most common types of data breaches happening today occurs when your employees’ laptops are either lost or stolen. This is something that you must also plan for because laptops contain a lot of critical information. By having a corporate policy in place that’s designed to safeguard your portable data, you’re taking a step in the right direction. However, this plan will only work when your employees know what the rules are here and then choose to follow them. Of course, there’s always those employees who will think they’re above your corporate regulations and do things their own way nonetheless. When you find these employees (and you will eventually be able to determine who they are) you need to reprimand them so they understand the importance here, but you shouldn’t make them something of a spectacle or an example for all your company’s other employees.
At the same time you must also remember that thieves can’t steal what you don’t have. This is where data minimization comes into play as a powerful element of preparedness. The rules here are disarmingly simple. They include:
- Don’t collect any information from your clients that you really don’t need.
- Cut down on the number of places where you store the data you do feel it’s necessary to collect.
- Don’t give all the employees in your company access to all the sensitive data you choose to collect. Instead, only provide employees with this information on an “as needed” basis. It’s also a good idea to keep updated records about who has access to the data you’ve collected so you know who’s handling it while it’s in your company’s possession.
- When you no longer have a need for the information you’ve collected, make sure that you take responsible steps to purge your entire company of the data.
Conduct a Periodic Risk Assessment
As business models and operational processes change, the levels of risk and liabilities also change. This is why it’s important to continually determine if you’ve acquired new areas or levels of risk. The best way to do this is by using specialized external resources to conduct an internal audit.
Keep Current with Security Software Updates
It’s also a good idea to have an intrusion detection system in place. Unpatched systems operate with weak spots that are waiting to be exploited. Applying patches does take time and resources, but it’s important to establish guidelines and expectations here.
Provide Training and Technical Support to Mobile Workers
Make sure that the same standards you’ve created for data security are used regardless of location. When you set these standards in place for your business you need to make sure that your remote workers know and follow them too. This includes keeping your security and authentication software up-to-date on all devices (including mobile) and provide all your employees with adequate training and technical support – even those who are remote.
Retain a Third-Party Corporate Breach and Data Security Expert to Analyze the Level of Risk and Exposure
Hiring an objective, neutral party to evaluate your company’s security will provide you with a clear, credible idea of what’s at stake. This works because your employees don’t feel worried about their budgets or pressured to hide their mistakes. Nevertheless, this is important to do because when you take a strong security posture and create a formal incident response plan before anything happens you can reduce the average cost of a breach by $17 – $21 per record.
Don’t Rely on Encryption as Your Only Method of Defense
You should always encrypt data in transit or at rest. However, this by itself will give your company a false sense of security. While most states have statutes that require notification only when breaches compromise unencrypted personal information, cybercriminals can and do break encryption codes.
Hold Vendors and Partners to the Same Standards
It’s also important to define your security requirements upfront with the vendors you use. Check out what security measures your state and federal regulations require them to follow and make sure that they’re in compliance there. Their mistake can be costly for you – about $25 per record.
Evan Morris works with MWR Infosecurity as a Network Security Manager, an avid Blog writer, particularly around Technology, Cybersecurity and forthcoming threats which can compromise sensitive data. Having vast experience of ethical hacking. Evan can be reached at Twitter: @MorrisEvan4
Data breach stock photo by wk1003mike/Shutterstock