In today’s digital economy an increasing volume of information is collected and data is turning not only into a more valuable, but also into a more vulnerable resource. For businesses it has become a key input for growth, differentiation and for maintaining competitiveness. With data’s expanding importance, information security is evolving into a critical aspect for organizations, as the risk of sensitive data being breached – due to intended or unintended incidents – increases at an alarming pace.
Data breaches are security incidents where confidential information is leaked or stolen from a system without the knowledge or authorization of the system’s owner. According to a study conducted by the Ponemon Institute, the average cost for each lost record increased by 4.7 percent from 2017 to 2018 (from $141 to $148), while the average total cost of a data breach rose from $3.62 in 2017 to $3.86 million in 2018, marking an increase of 6.4 percent. As security breaches make new headlines every week, companies must ensure that sensitive data is adequately protected in order to prevent loss or theft. The security measures include the policies they have in place to protect it, as well as the strategies and tools at their disposal for breach mitigation.
Protection of sensitive data is required not only for legal or ethical reasons, but for issues related to personal privacy, as well as for safeguarding the reputation of the business. Sensitive data includes personally identifiable information (PII) such as names, credit card numbers, email addresses or phone numbers of customers and employees, as well as intellectual property and trade secrets, industry-specific data and information related to operations and inventory.
Let’s see what practices can businesses apply in 2019 to prepare themselves appropriately against a data breach:
Employees have an important role in keeping their organizations secure; however without security awareness and effective training, they can be the weak link in the data security chain and present a major vulnerability. With the emergence of cloud storage tools, IoT devices and BYOD trends, it is easier than ever to put sensitive data at risk. According to the 2018 State of Privacy and Security Awareness Report 75% of the asked employees had problems with identifying best practices related to right behaviours in cybersecurity and data privacy.
An efficient training is a critical component and means ensuring that the employees are informed about the importance of data security, have the know-how to detect threats and avoid leakages, and are empowered to report potential privacy incidents. It is important to train them about the specific cybersecurity risks of the industry and company, as well as about the repercussions that a data breach can have.
For a better cyber protection, access to sensitive information should be limited on a “need to know” basis and it is important to include real-life examples of reportable incidents into employee training. They must also be aware of their responsibilities and accountabilities when using a computer on a business network. Security policies should be regularly updated as threats are continuously changing and cybercriminals are becoming savvier.
Cybersecurity measures are needed in every business industry as sensitive information must be protected wherever it is stored, sent or used. While it is important to have traditional perimeter and network security like firewalls, intrusion detection, and antivirus systems, businesses should consider a layered approach which includes not only protection against security threats, but also identifying and monitoring security risks as well as responding to safety threats and incidents. Using encryption standards and a backup policy help reducing risks, while ensuring that software is updated and patched regularly is crucial in minimizing network vulnerabilities.
Data Loss Prevention (DLP) solutions such as Endpoint Protector can help businesses in preventing data breaches, as protection policies can be enforced with their use and illegal access to data can be prevented. Restricting end users from sharing confidential information or transferring them from corporate networks is also possible, as well as controlling or blocking unauthorized devices. DLP solutions can help in protecting both data in transit and at rest. Nowadays, as digital security issues threaten businesses of all sizes, deploying such a solution is a requirement not only for large companies, but forsmall and medium-sized enterprises as well.
Each data protection regulation is an indication that companies are accountable for how they manage data privacy and people’s data. When organizations prioritize content protection to meet data protection regulations, they have a better chance not only of preventing data leakage, but avoiding fines and reputational issues as well. The best way to ensure compliance is by creating a data security policy that keeps data safe from risks both inside and outside of the company.
2018 was an important year in terms consumer privacy laws and rigorous regulations are becoming more prevalent on a global scale. Some of these impact specific countries or territories, like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), while others like the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA) focus on particular industries. For companies that process, store or transmit credit card information, the PCI DSS dictates who may handle and use sensitive PII like credit card numbers. Within a healthcare environment, the HIPAA regulates who may see and use protected health information such as a patient’s name or Social Security number. Furthermore many countries have data breach notification laws that require both private and public entities to notify individuals of breaches involving personal data.
Vulnerability assessment is the process intended to identify, classify and prioritize security threats as well as determine the risks they pose to organizations. Regular security audits reveal a clear picture about data and act as a checklist to work towards data protection. When performing a vulnerability assessment, businesses should consider all aspects like data storage, remote access for employees, BYOD strategy and ensure that policies and procedures are adequate.
The Center for Internet Security (CIS) ranks Continuous Vulnerability Management as the third most important practice in its 20 Critical Security Controls. Detecting vulnerabilities on a regular basis and prioritizing their remediation is also important in order to provide the level of data protection required by different regulations.
Although many companies haven’t developed a breach response plan yet, such a framework has an important role in dealing better with cyber security incidents, as well as limiting damages and restoring public and employee trust. The main aim is to set the roles and responsibilities for people tasked with managing a breach; including a draft notification and summarising the process of investigation is also vital.
The importance of a response plan is highlighted by regulations as well. For example under GDPR requirements, organizations have to respond to data breaches within 72 hours of detection; this includes gathering all related information, reporting the breach to the relevant regulator and informing impacted individuals.
As technology continues to drive businesses, it also continues to make them vulnerable to cybercrime. In order to reduce the risk of enriching the ever-growing list of breach victims, cybersecurity should become a priority for every organization.