By Miranda Alfonso-Williams
JP Morgan, Community Health System, Target, and Neiman Marcus all have one thing in common—they have been HACKED! Each week another organization has become the victim of a data breach. It is clear that attacks are on the rise and the attackers have become more sophisticated. Gone are the days of Kevin Mitnick when the thrill of breaking into a system was the major motivator. Hacking and breaching data have become a major enterprise. Cybercriminals are equal opportunity attackers, the industry or size of the organization is of little consequence. Intellectual property, patient data, credit card data, customer data are now the motivators. It is clear that the game has changed! So how do we protect our organizations? We need to ensure that we are proactive and take measures to mitigate our risk. We need to also understand as long we have people and/or organizations that are motivated to attack, have the will and determination, risk cannot be eliminated! That said, the following are examples of things that we can do to proactively manage our data and reduce our risk.
1. Conduct a risk assessment
A fundamental thing that can be done— is to conduct periodic risk assessments. What type of data are we collecting? How is it used? Where is it stored? How long do we keep it? How is it secured? These are basic questions that should be considered when accessing our risk and prioritizing them according to criticality. There are a number of risk assessment tools that can be utilized like GAPP and ISTPA. Obviously, one size does not fit all organizations, it is important to pick the appropriate tool or hire a professional to help facilitate the assessment.
Senior management support is critical, the policy should be a high level document that serves as their intent and support for the program. This should not be a voluminous document but one that is clear, concise and appropriately communicated. One of the outcomes of the risk assessment will be to create or modify procedures. The procedures should be prioritized and in line with the high priority items identified from the risk assessment. The objective of the procedure is to provide a “how to” document. The procedure document(s) will be more detailed and can provide a step by step description of how something should be accomplished.
3. Data Retention
Data retention can be thought of as a life cycle management process. Often we hold on to information longer than necessary. In some cases we do not have a clear policy/procedure for managing our data. Data classification is of paramount importance, it helps us to determine the value of the data that we are collecting, thereby, providing us with direction on the type of control that is most appropriate. For example, protected health information (PHI) would be classified with a higher criticality level than a quarterly financial report that was shared publically. In terms of safeguarding the data, encryption would be more appropriate for the PHI than the quarterly statement that was publically shared.
It is important to provide employees with consistent and clear training so that they are aware of what is expected. Training can come in many forms including formal classroom based, webinars and lunch and learns. The critical component is to ensure that the intended audience and message are aligned.
5. Consider Data Breach/Cyber Insurance
Data Breach and Cyber Insurance has become more popular in light of some of the high profile breaches. Additionally, most states have enacted laws that require breach notification to impacted parties. Given the size of some of the well-known breaches, breach notification could be very costly. There are basically two types of polices; First Party Liability which covers losses sustained to your business. The second type of coverage is Third Party Liability, which covers the loss to your customers. Each insurance carrier has their own set of inclusions and exclusions so it is important to shop wisely and know exactly what is included.
These are just highlights of some of the things that can help us protect our customer’s data and help us to continue to provide value!
Contact Us: email@example.com
Visit our Website http://www.wam-consulting-group.com/
Subscribe to our Blog: http://www.wam-consulting-group.com/wam-blog/
Sign up for a FREE Webinar http://www.wam-consulting-group.com/events/