How to Minimize the Costs – and the Chances – of a Data Breach
The possibility of a data breach is one of the biggest threats facing most companies today. Over the past few weeks, news reports were awash with breach incidents and related cases from almost all industries: hackers reportedly targeting the three largest banks of the US; more than 30,000 of personal records breached from 53 universities; data-containing devices stolen from hospitals and health systems (with a hospital getting fined a staggering $1.5 million due to a stolen laptop); and more. It’s no wonder many business executives are kept awake at night wondering if their company will be next.
But perhaps the more important question that they should be considering right now is: Can data breaches be prevented? The answer to this question though, is not a straightforward yes or no. After all, with the level of technology at the disposal of hackers today, no system is immune to attack. So yes, there are measures that can help prevent a breach, but no, these are not foolproof guarantees against one.
However, if you think that taking concrete steps to protect against a security breach is a futile exercise, you couldn’t be more wrong. True, you may not be able to totally eliminate the threat of a breach, but on the upside, having preventive measures now will help you better deal with the fallout from a breach if or when one does happen later.
By ‘fallout’ we mean the costs that are bound to crop up as a result of the incident, as well as the negative publicity that a company would have to endure once word gets out. Preparedness allows you to respond in an appropriate and timely manner, significantly bringing down breach-related expenses and keeping the damage to your reputation at a minimum.
Here are some breach-prevention and/or cost-reducing methods suggested by security experts:
● Establish company-wide data protection policies.
Nothing speaks of a company’s commitment to data protection better than an established and organization-wide privacy and security policy. This should include the designation of a chief privacy administrator, clear guidelines on data handling, storage, and retention, and a concrete plan of action for disaster recovery. If the procedures are not well-thought out or are not comprehensive enough, there could be vulnerabilities within the system which hackers and cyber thieves can easily take advantage of. All it takes is a small open door.
● Perform update of software and hardware on a regular basis.
Because malware developers are continually finding ways to get around your protective measures, you should also keep security tools as updated as possible. Software used on all computers connected to your network should be regularly brought up-to-date to ensure that the most current versions are running. In addition to bringing in new features and fixing existing bugs, software patches can also include security features that can help make firewalls more effective against hack attacks.
● Educate employees.
On one hand, you’ve got business owners and managers who are practically losing sleep over the possibility of experiencing a security breach. But on the other hand, there are also employees who may not even be aware of just how serious the consequences of a breach and the subsequent loss of data can be. In fact, studies even report that employees’ incidents of negligence are identified as the weakest points in the security of a system.
It’s simply not enough that clear-cut policies on data handling and security are established. It’s even more crucial that to have these rules disseminated, discussed, understood, and of course, complied with by employees down the line. By conducting staff trainings and promoting key security awareness in the organization, you are essentially plugging leaks where sensitive information can pass through.
● Get to know your colleagues and business associates.
If your colleagues and associates are making as much effort to protect the data you share with them as you are, then your chances of beating a data breach are increased. While most everyone these days who handle personal information are already cognizant of the threats to data, it certainly wouldn’t hurt to find out what measures are being taken by the persons and businesses you are dealing with and entrusting information to. Keep in mind that if personal information that you pass on to them gets compromised while in their possession, you will also be held accountable for such loss.
● Know what regulations you are accountable to.
Adding to the burden of ensuring privacy for both corporate information and consumer personal data is the pressure of having to comply with federal and state regulations. But if you don’t know which laws you should be in compliance with, your security efforts may be deemed lacking. Or worse, you could suddenly be found in violation of a law that you were not even aware of in the first place.
For instance, card payment processors are required to be in compliance with PCI Data Security Standards (PCI DSS) to protect cardholder data; hospitals, health systems and their associates and service providers need to secure electronic protected health information according to the HITECH Act; and under the Gramm-Leach-Bliley Act (GLBA), financial institutions are mandated to implement and maintain safeguards to protect customer information. Now even if your business does not fall under any of the above-mentioned groups, for as long as you are collecting or storing consumer personal information, there are still the state data breach notification laws to contend with.
● Create an incident response plan and team.
In the event of a security breach, an incident response plan outlines the immediate and most appropriate steps that are to be taken in dealing with the breach. The privacy officer can be the point person for implementing the plan, although large corporations usually create an incident response team for this purpose. The incident response team may be composed of people from both within and outside of the organization, covering the key areas of concern: IT, legal, human resource, public relations, and finance.
● Encrypt your data.
This should be pretty apparent to everyone by now, but let me just say the obvious: the best way to reduce costs arising from a data loss or to avoid a security breach altogether is to encrypt data. That way, even if somehow sensitive consumer information gets into the hands of hack groups or fraudulent individuals, they can’t use the data for identity theft or any other malicious purpose.
Most of the laws involving consumer information such as those mentioned in the previous section (PCIDSS, HITECH, GLBA) regard encryption as the minimum standard for data security. In fact, for some of these regulations, encryption is considered as a safe harbor against a data breach. This means that if encrypted data somehow gets compromised and the type of encryption technology used qualifies, the business entity may be exempted from the reporting and/or notification requirements that must be performed following the incident, as well as other possible sanctions and penalties.
This is no guarantee of course but at the very least, encryption minimizes the impact of data loss on a business and reduces its liability to the affected consumer.
Encrypting data in motion
I’m pretty sure you assume that encryption needs to be used for the data that’s resting right now on your database systems and storage devices, and you’re not wrong there. But have you given thought to the personal information that you occasionally send to colleagues, associates or service providers from time to time? That data needs to be encrypted as well. Here’s why.
When you send an email message, copies of it may be stored in your local hard disk, on each email server the mail goes through, and on your recipient’s hard disk. If there are multiple recipients, then each one gets a copy. And this is where the problem starts. You see, those copies are usually in plaintext – completely readable and understandable to the average hacker. What’s more, he can easily swipe that information from any of the locations we enumerated earlier, or when the message is being transmitted through the virtually unprotected Internet.
So really, even if you put up the best defenses within the perimeter of your network to keep data secure all this would be for naught if that data gets accessed when exchanged through email.
Email encryption made simple
Now finding an effective email encryption isn’t exactly easy. For sure, there are more than enough traditional encryption solutions that have proven to be reliable but these often require installations and configurations that are beyond the technical skills of most users. You or your company may have the brains and resources to deal with such matters, but what of the people you are exchanging emails with?
For it to work, an email encryption solution usually requires that both sender and recipient use the same tool. This means that even if you can easily set-up new software, i.e. the email encryption solution, but your associates or clients can’t, your solution is essentially useless. You would therefore want to adopt an email encryption tool that provides reliable security for your data and ease of use for the user.
This is just how we’ve designed Sendinc: secure and simple. We’re aware of the challenges that companies face today, and we’ve made Sendinc so easy to use so as not to add to your concerns. The user interface looks just like your everyday email client, perhaps even simpler. But beneath its user-friendly interface is the security of military-grade encryption used by today’s biggest online banking institutions and e-commerce websites.
Give it a try and find out for yourself. Best of all, Sendinc is free so you can even invite a couple of clients or colleagues to try it out with you.