When it comes to cybersecurity for your business, the risk is high. Not only are there the easily calculable costs of notification and business loss, but also the less tangible effects on a company’s brand and customer loyalty. Research conducted in 2014 revealed that the estimated cost of a general data breach is generally more than $200 per compromised record.
Companies need to look beyond information technology (IT) security when assessing data breach risks. To eliminate such threats, security must reach beyond the IT department. It is critical to establish and enforce policies and procedures and physical safeguards appropriate to protect company and customer data. Below are ways to achieve this.
Establish a comprehensive data loss protection plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Efforts will demonstrate to customers and regulators that your organization has taken anticipatory steps to address data security threats. Disseminate this plan throughout your company to ensure everyone knows what to do in the event of a breach.
Educate employees about appropriate handling and protection of sensitive data. Incidents of lost and stolen laptops containing sensitive business trade secrets illustrate that corporate policies designed to protect sensitive data work only if the rules are followed.
Data minimization is a powerful element of preparedness to protect against cyber theft. The rules are simple.
- Don’t collect information your company doesn’t need.
- Reduce the number of places where sensitive data is retained.
- Give sensitive data to employees on an “as-needed” basis, and keep current records of who has access to the data while it is in possession of employees.
- Purge sensitive data responsibly once the need for it has expired.
- Conduct periodic risk assessments regarding sensitive data left on business computers. Business models and operations processes change and alter risk levels and liabilities.
Provide your employees with technical training and support. Ensure that the same standards for data security are applied regardless of the location through straightforward policies and procedures. Also, install security and authentication software on all mobile devices, keep it up-to-date, and offer technical support.
Retain a security expert knowledgeable in third-party corporate breach and data security. Allow the expert to analyze the level of risk and exposure. An evaluation performed by an objective neutral party can help provide a credible picture of risk levels without pressuring internal IT employees because they are worried about their careers if a flaw is revealed.
Don’t rely on encryption as the only method of defense. Encrypting data in transit and at rest is a good practice, but when used alone it can give businesses a false sense of security. Professionals can and do break encrypted data.
Keep current with security software updates and patches. An unpatched system is operating with a weak spot just waiting to be exploited.
Define security requirements to vendors up front so that they determine the best means of protection. Ensure that you maintain control of data at all times, especially with offshore data storage or services.
Take the time now to implement these measures in order to safeguard your organization from costly and potentially irreparable damage down the road.
Oren Saltzman, Esq., is managing member of the regional law firm of Adelberg, Rudow, Dorf & Hendler LLC (www.Adelberg.com). He can be reached at [email protected].