It’s no longer a matter of if a data breach will happen, or who it will happen to as it can happen to any small, midsize or large business, organization or government. When a data breach happens, a business needs to respond quickly and all too often businesses are not prepared for how to respond to a data breach. It’s also important to realize that security policies and procedures are not “one size fits all” packages that a business can add to its cart and click purchase and be done with. If a business is taking this approach the likelihood of a data breach happening surely increases. While it’s important for every business to protect its sensitive digital information, they must first conduct a risk assessment to locate, identify and classify the sensitive digital information it owns to help reduce data privacy and breach risks. If you do not know what high risk-data it collects, where the data is stored or has determined the data’s sensitivity level how can you implement sound security policies and procedures?
After a risk assessment is conducted, a business is then ready to create its security policies and procedures. Once security policies and procedures are implemented and in place, a business should also conduct a vulnerability assessment. A vulnerability assessment is a critical element of a company’s risk management plan, as businesses can only determine the risk of activities being conducted within the organization once such an assessment is completed.
Here are 7 ways in which your business can protect is sensitive digital information:
1. Implement privacy and security policies and procedures.
Once your business implements its privacy and security policies and procedures, be sure to enforce them. As part of the on-going process of defining and maintaining effective security policies include an ongoing plan for employee awareness/ training and include periodic scheduled security audits (as applicable).
Some data does not need to be secure. For the data that does, encrypt it. It’s especially important that businesses encrypt sensitive data that is stored on mobile devices. If a mobile device is lost or stolen, encryption offers a business peace of mind and guaranteed protection.
3. Cyber insurance.
While cyber insurance can’t prevent a data breach from happening or protect sensitive digital information from being exposed, it offers a comprehensive solution to respond to a cyber attack and/or a data breach. It may offer coverage such as (depending on the specific policies and endorsements): crisis management and customer notification expenses, credit/identity theft monitoring, privacy and security liability, loss of business income (subject to 12 hour waiting period), privacy regulatory defense and penalties, computer forensics investigation, and a “Data Breach Coach” (aka “Privacy” attorney).
4. Review service provider contacts.
Planning to utilize the cloud? Be sure to read your cloud service provider’s (SLA) Service Level Agreement carefully to avoid any surprises when it comes to storing sensitive digital information in the cloud. It is highly advisable to review a cloud provider’s SLA with an attorney who specializes in cloud SLAs to help your business determine how sensitive data will be protected in the cloud and what happens in the event of a data breach.
5. Secure your databases.
According to a recent Verizon Data Breach Investigations Report, more than 92 percent of records breached involve a database. Consider a data security solution that offers virtual patching and real-time protection for business-critical databases from all types of threats: external, internal, and even intra-database exploits.
6. Manage your employees (BYOD) “bring your own” mobile devices and (BYOC) “bring your own” cloud.
It is a critical element to incorporate “BYOD” and “BYOC” into your company policies and procedures to minimize data privacy and breach risks. With personal mobile devices being used in business today, make sure you inform your employees what is and what is not acceptable. Quite often, out of pure convenience employees will use free cloud services as a way to transfer sensitive and confidential business data, leaving your business vulnerable. Make sure you account for this vulnerability in your polices and procedures and in your employee security awareness and training programs.
7. Backup and recovery.
When planning a backup strategy, some things to consider are: How important or sensitive is the data on your systems? What type of information does the data contain? How often does the data change? How quickly do you need to recover the data? Do you need to store back ups off-site?
While no security policy or system can promise a magic wand and offer 100% assurance in preventing a cyber attack and/or a data breach from happening, the above tips offer businesses of any size a great amount of information to think about.