Personal data is now the world’s most valuable resource and the collection of it shows no signs of slowing down. In fact, providing some piece of personal information, whether that’s your email address, name or mailing address, is necessary to receive almost any product or service.
Thanks to the monetary value of data (and the fact that increasingly more sensitive information is being stored digitally), threats are on the rise.
In fact, 75 per cent of organizations have suffered a data breach in the past two years. So if you haven’t suffered a breach yet, you will. Download this cheat sheet that outlines the 7 Steps to Address a Data Breach.
Then, read on to learn more about data privacy, security and breaches, incident response plans. Or, jump ahead to the 11 expert tips for prevention:
What is Data Privacy & Security?
Businesses receive and store tons of sensitive data, whether it’s a client’s banking details, an employee’s social security number, or the company’s own data. To ensure transparency and openness regarding the collection and use of this data, companies are required to comply with a number of data privacy laws.
The Federal Trade Commission prohibits unfair or deceptive practices affecting customers and penalizes companies that neglect to ensure the privacy of client data. Avoiding these penalties is one reason why data security, the practice of keeping data protected from unauthorized access, corruption and theft, is quickly becoming a priority around the world.
Implementing security practices and processes ensures data is accessible to those who are meant to view it and isn’t being accessed by unauthorized parties.
If you have customers or clients in the European Union, you must be GDPR compliant. Find out if you’re following all the rules with our GDPR Checklist.
Companies rely on thorough policies to meet these requirements along with multiple layers of automated security. But what happens when that’s not enough?
A data breach (also called a data spill or data leak) occurs when an unauthorized party accesses private data.
Sensitive data doesn’t necessarily need to be stolen, copied or deleted to be cause for concern. The wrong individual simply viewing the data can be considered a breach. However, the former has the ability to cause much greater damage.
How Do They Happen?
When you think of a data breach, there are a number of personas you might imagine.
Maybe it’s a hacker dressed in black, sneaking into a building, finding the password to the computer and downloading all of the data onto their USB key.
Or maybe it’s an evil mastermind slouched in a dark basement somewhere, remotely bypassing the network security of a company from miles and miles away.
Conduct a risk assessment (using this template) to find out if you’re at risk of a data breach.
Even though the primary focus of data security is stopping hackers and others from getting in, sometimes the biggest threat is already on the inside. Current or former employees pose a huge security threat, especially the disgruntled employee seeking revenge.
In fact, a survey by Intermedia and Osterman Research found that close to 90 per cent of employees were able to access sensitive data through an information-sharing application. Almost half of those individuals claimed the data was confidential or highly confidential.
A data breach can also happen by accident if sensitive data is released to an unauthorized environment. For example, it’s still a breach if an employee loses a USB key with sensitive data.
What Happens to the Stolen Data?
There can be many different motives for data theft, but the main motive is money. Hackers can duplicate credit card information stolen from an online retailer.
They can commit identity fraud and open new bank accounts with someone’s personal information. Or, they can blackmail the victim.
What to do if the thief is on the Inside
Is the culprit of your data theft an employee? Learn how to catch and confront a thieving staff member in the beginning stages when the damage caused is still minor.Download How to Confront Employee Theft Cheat Sheet
They can sell private information in bulk on the deep web. There is an organized criminal network of “black hat” hackers dedicated to stealing sensitive data which is then sold in the underground market.
Information most frequently stolen includes your name, date of birth, email address, mailing address, phone number, and yes, even your SSN and banking details.
Consequences of a Data Breach
A person whose data is stolen might have to deal with identity theft, financial loss, stress, plus the inconvenience of having to change contact information, cancel cards and rectify anything else that was tampered with.
For the company, the first hit is to its productivity. The loss of data and files may make it nearly impossible to carry on with any related tasks. Plus, crisis management can be stressful and time-consuming.
Then, once word gets out about the breach, the company might be labeled as careless, inattentive or negligent. Whether the company has a flawless track record or not, once a data breach occurs its reputation is damaged, sometimes irreparably.
Affected clients may terminate the relationship. Unaffected clients may feel nervous and regretful, possibly cutting ties as well. Potential clients or pending deals may be jeopardized.
Economically, data breaches can be ruinous. The loss of current and potential customers impacts revenue. A 2018 study by Comparitech found that breached companies routinely underperform in the stock market long-term. Fines and lawsuits can begin to mount as well, especially in cases of identity theft or financial loss for the victims. Plus, rebounding from the technical harm of a data breach is often expensive and complicated.
Do You Have a Data Breach Response Plan?
If it happens to you, measures for handling a breach should already be in place in the form of a data breach response plan. Your quick response will mitigate the damage caused, potentially saving your reputation and your company.
The data breach response plan, which is simply an action plan to implement when a data breach happens, works best with a few key sections:
A Plan to Contain the Breach
Depending on the incident, you should have a plan to contain the breach. Whether that’s asking the IT team to implement their incident response plan or alerting the security team of a physical threat, the goal is to repair the hole as quickly as possible to prevent additional damage.
Remember that containing the breach doesn’t mean quickly cleaning up the mess and throwing it out. Preserve evidence of the incident that might be valuable.
Consider a media strategy. News outlets and your competition might be eager to get their hands on this news (especially if your company prides itself on safety and security). Prepare some sample text about the breach and actions you’re taking to fix it.
A Method for Evaluating Risks & Harm
This is your step-by-step guide on conducting the initial or preliminary investigation.
Prepare a form that records all the information you need about the breach. Record the date you found the breach, the location and duration, what data was leaked, how the breach was discovered (and by whom), a list of affected parties and the extent of the harm.
Don’t have a trusty investigation plan template yet? Borrow ours.
The goal is to look at the pertinent details of the breach and evaluate your findings. Ideally, you will establish the cause and extent and prepare yourself for the next section, the breach notification.
A Plan for Breach Notification
The regulations governing your company might require you to notify a government department or agency of the breach. Be familiar with the laws governing your jurisdiction or industry. Frequently review this section as new laws, regulations and standards are being developed all the time.
Otherwise, it’s up to you to determine who needs to be aware and whether or not you should notify them. Don’t forget about those who were not affected who may need to know, such as the local police, partner organizations, etc.
A Guide for Lessons Learned
This part of your data response plan is all about conducting the full investigation. Record and document all of the key details about the breach that weren’t found in the preliminary investigation.
Put a lot of thought into the next steps after the investigation. Come up with a list of next steps for repairing the damage both internally and externally.
Are you going to retrain employees on security? Are you going to audit every single process and system in the company? Are you going to hire experts to implement and format solutions?
A key part of every data response plan is planning how to bounce back from this incident.
There are endless laws governing consumer privacy and data security, from the Payment Card Industry Data Security Standard (PCI-DSS) to the Health Insurance Portability and Accountability Act (HIPAA) and the new General Data Protection Regulation (GDPR).
Depending on your industry and the type of data you collect or store, you may have to comply with a number of data security laws. The best way to be in compliance is by creating a data security policy that keeps data safe from risks both inside and outside of the company.
If you’re not sure of the legal obligations in your country, check out our Practical Guide to Data Privacy Laws by Country.
The best way to avoid being the victim of a breach is by prioritizing security through various best practices, processes and procedures, and then detailing these in a policy.
Start by brainstorming what you want to include in your data security policy (or use a data security policy template to skip this step).
Best practices often mentioned in policies include:
- Keep data transferring at a minimum. Only shift data from one device to another if necessary. Removable media is easily lost, putting all the data on it at risk.
- Shred paper files always.
- Only keep data that’s required to carry out your tasks. This is an important part of the new General Data Protection Regulation.
- Change passwords often, making each one unpredictable and hard to crack. Symbols and numbers are ideal.
- Clearly define computer policies and acceptable use. Request that employees sign a policy that touches on things like trusted (Google, Wikipedia, Youtube) and untrusted websites.
- Use the cloud when it makes sense. Cloud servers are encrypted and monitored by experts who look for odd behaviors. These servers also make it easy to give and remove access permissions.
Decide if you’re going to provide company-owned devices and systems for employees to use, or if “bring your own device” would work best for your situation.
If it’s in the budget and you do decide to distribute company-owned devices, secure them first. Install security measures such as firewall, pop-up blockers, email filters or other apps that fight against risks unique to your industry.
If you’re going to let employees bring their own devices, download technology that will wipe work-related information from the phone without deleting their personal data. This lets you begin to take action right away if an employee leaves the company (especially if they leave on rocky terms).
No matter which route you take, make sure employees use a work-specific email. This way, IT can monitor for anything fishy. Plus, once an employee leaves you can easily remove them from the database and they can no longer access any confidential emails.
Human error is responsible for a large number of data breaches, but you can reduce the number of accidental breaches by automating as many of your processes and systems as possible.
You can implement automated safeguards such as a system that regularly checks passwords and/or reminds you to change them periodically. You can also implement technology that assesses server and firewall configuration, warning you of any holes or leaks.
Instead of asking employees not to download unfamiliar content, take it a step further and implement filtering on emails and internet browsers. That way, there’s an extra guard in place to prevent employees from accidentally clicking on malicious websites or emails.
Training and educating staff is vital to keeping a company safe and relatively problem-free.
In this case, training not only gives employees the tools to notice malicious behavior in others and negligent behaviors in themselves, but it also helps change the culture of the company to be more security minded, putting safety privacy and security first.
Experts advise classifying the different types of data on a scale and educating employees on this new system. For example, sort data into groups (such as confidential data, general data, internal data and external data), and maybe even assign each with a distinct color, then train employees to follow this system.
If you deal with private data regularly, encryption is vital. An encrypted document or email can only be decoded with the associated key.
It helps you protect sensitive data wherever it is, even if a document is sent to the wrong email or a work laptop is stolen and the data ends up in the wrong hands. If the recipient doesn’t know the proper encryption key, they’ll be unable to access the data.
Note: if you’re letting staff bring their own devices to use for work purposes, remember to encrypt them.
It makes more sense to control data access right from the beginning than to hand it out carelessly and try to take it back later.There’s no need for everyone to have access to everything, so only give employees access to files that are necessary for them to complete their jobs.
To prevent hackers from accessing accounts not meant for them, implement multiple levels of authentication. Insist on complex passwords that require lower case letters, upper case letters, numbers and symbols.
Additionally, most apps and devices have a setting that logs a user out if they’re inactive for a certain period of time (online banking applications do this, laptops too). Set this up.
Don’t forget about physical private data. If your office has confidential file rooms, implement a smart card or fingerprint system to keep unauthorized parties out.
Even though there’s a bit of an ethical battle about this, system monitoring might be a great additional layer of security for your company.
Insider behavior monitoring allows someone on the HR or IT team to replay computer usage. This way, they can keep track of who’s accessing what files. They can follow sequences of who saved or sent something and where.
Tracking the motion of data lets you pinpoint exactly when it left the safe zone and who’s responsible for letting that happen.
Patching vulnerabilities in computer software is extremely important, especially considering that most successful computer attacks exploit well-known vulnerabilities for which patches exist.
Request the IT team to implement a thorough patch management strategy that verifies functionality and security when patches are applied to existing operating systems.
Perform vulnerability assessments once a month or even weekly. Regularly scan the security controls and contents of every system in the network (internal and external) to identify threats and be prepared for attacks.
This step won’t necessarily prevent a data breach from happening, but it will make repairing the damage much easier. Not all hackers want to steal your files to sell them, trade them or use them for illegal activity. Some cybercriminals want to stir the pot by deleting your data.
If a virus has deleted some of your system’s contents, a reliable backup system will help you restore the data instead of starting from scratch.