The costs of a data breach can be considerable - just ask Gordon Brown.
Apart from the easily calculable financial costs such as notification costs and loss of business, there's the less tangible threats to a company’s brand and continuity.
To avoid what sometimes amounts to operational paralysis, an organisation’s leaders need to follow some basic guidelines.
ID theft expert Brian Lapidus, chief operating officer of Kroll Fraud Solutions, has front-line experience helping today’s businesses safeguard against and respond to data breaches.
Below he offers 10 tips about how to protect yourself and your customers from fraud.
1. Look beyond IT security when assessing your company’s data breach risks. To eliminate additional threats, a company must evaluate employee exit strategies, remote project protocol, on- and off-site data storage practices and more – then establish and enforce new policies and procedures and physical safeguards appropriate to the findings.
2. Establish a comprehensive pre-breach response plan enabling decisive action and preventing operational paralysis when a data breach occurs. Your efforts will demonstrate to consumers and regulators that your business has taken anticipatory steps to address data security threats. Disseminate this plan throughout the management structure to ensure everyone knows what to do in the event of a breach. In preparation, consider the following:
a. Who will have a role in reviewing the policies and procedures on a predictable timetable?
b. What are the physical security elements? When and how will they be tested?
3. Educate employees about appropriate handling and protection of sensitive data. The frequency with which laptops containing critical information are lost or stolen illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules.
4. Thieves can’t steal what you don’t have. Data minimisation is a powerful element of preparedness. The rules are disarmingly simple:
a. Don’t collect information that you don’t need.
b. Reduce the number of places where you retain the data.
c. Grant employees access to sensitive data only on an 'as needed' basis, and keep current records of who has access to the data while it is in your company’s possession.
d. Purge the data responsibly once the need for it has expired.
5. In the event of a merger, all newly acquired systems should go through a thorough data assessment. As the controlling company, it is in your best interest to take an inventory of the new data now in your possession. After all, how can you account for information you didn’t know you had? This is an area where both internal audit and specialised external resources may be very useful.
6. Beware the Wi-Fi. Use of wireless networks means your data is being transmitted over open airwaves, similar to a radio transmission. If not properly secured, data can easily be picked up by an uninvited party. Many offices, including Kroll’s Fraud Solutions headquarters, have disabled Wi-Fi because it cannot be locked down to satisfaction.
7. Retain a third-party corporate breach and data security expert to assess the level of risk and exposure. An evaluation performed by an objective, neutral party leads to a clear and credible picture of what’s at stake, without pressuring staff who might otherwise worry that their budgets or careers are in jeopardy if a flaw is revealed.
8. While it is best to encrypt sensitive data, don’t rely on encryption as your only method of defence. When used alone, it gives businesses a false sense of security. Although the majority of state statutes require notification only if a breach compromises unencrypted personal information, professionals can, and do, break encryption codes.
9. Keep current with security software updates (or 'patches'). An unpatched system is, by definition, operating with a weak spot just waiting to be exploited by hackers. Admittedly, applying patches takes time and resources, so senior management must provide guidance on allocations and expectations.
10. Hold vendors and partners to the same standards.
