October is Cybersecurity Month, and a perfect time to refresh ourselves on the importance of good cybersecurity hygiene. For the rest of October, my Faruki colleagues and I will be publishing a series of blog articles dedicated to nascent legal issues in the cybersecurity field.
According to the Verizon 2017 Data Breach Investigations Report, 61% of data breach victims are businesses with fewer than 1,000 employees. According to Nationwide's third annual survey of 1,069 business owners with 1-299 employees, more than 20 percent of cyberattack victims spent at least $50,000 and took longer than six months to recover. But 7 percent spent more than $100,000, and 5 percent took a year or longer to rebuild their reputation and the trust of their customers. Further, according to last year's Centrify study, 66% of U.S. consumers are at least somewhat likely to stop doing business with a company that has suffered a breach.
This research supports two conclusions: (1) Breaches are inevitable – it is not a question of IF you will suffer a breach, but WHEN: and (2) WHEN breaches occur, the costs can be exorbitant. But the financial and reputational harm flowing to a company in the aftermath of a breach can be mitigated by common sense preparation for the inevitable. Here are just a few things you and your company can do:
1. Classify Your Data (You cannot govern what you do not understand)
Companies of all sizes keep data: Personnel records, consumer information, personal health information, login credentials, trade secrets, marketing/analytic research, etc. Each type of data is an attractive target for cyber criminals for identity theft, sale on the black market, or to be held hostage as ransomware. But not all data is created equally. Your company's Twitter password is not as sensitive as a patient's medical record. Put another way: You may buy jewelry for your spouse and toys for your kids. If your kids leave toys out on the front lawn, you may not worry too much. But if your spouse leaves jewelry lying about in the yard, you may be justifiably more upset. Accordingly, companies should classify the data they keep: Is it high, medium, or low risk data if it becomes public? Is it confidential information, information that is already public, or strictly propriety data? Once you know how best to classify your data, you can allocate resources to protect that data accordingly.
2. Map Your Data (You cannot govern what you cannot locate)
Classifying data based on risk exposure is an essential first step, but you need to also understand where that data is being kept. Businesses should map the digital and physical locations of where information is stored and where information flows. What data is located in technical locations like databases, servers, and systems? Do you keep hard copies of information in an office or off-site? A file cabinet or a locked safe? How does that data flow? Is data shared internally from one room to another or is it shared from internal locations to external locations and third parties? If you are unable to answer these questions, then minimizing exposure becomes a guessing game.
3. Safeguard Data Administratively, Technically, and Physically
Companies can safeguard data using technical, physical and administrative safeguards. All three are essential for good data governance. Think of it as a three-legged stool: If you remove one type of safeguard, the entire program falls over.
Technical safeguards are usually the first protection we think about. This includes encryption, antivirus software, intrusion detection systems, strong passwords, user identity management, and even biometric security.
But technical safeguards are just one leg of the stool. Too often, businesses overlook physical safeguards. But for individuals dedicated to breaching an organization, an onsite visit can be an easy way to gain access to valuable information. Physical security can take many different forms: locks and access control keys, surveillance equipment, and security staff. These safeguards detect and deter possible intruders attempting to access information in person. If you have sensitive information in hard copy or some other physical form, make sure it is safely secured in a locked cabinet or safe.
Finally, your staff can be your first line of defense. Businesses should draft policies and procedures on how to handle data and information. Businesses should invest time to educate staff on these policies and procedures and assess the effectiveness of that training. Develop policies relating to security management processes, user authentication, data retention and destruction, mobile and wireless communication, and social media use. Train your employees on what to do if they spot an email that seems suspicious. Instruct your staff on how to report irregular activities both on their computers and in their workplace. Your employees can be a formidable first line of defense for data breaches; equip them with the knowledge and training they need to safeguard your data.
Data governance can feel overwhelming, but by taking practical, common-sense directed steps, companies can minimize exposure and be in a stronger position to respond appropriately WHEN the breach occurs.