Under Lock and Key
How to plan, assess and respond to data security breaches
You’re a modern, 21st century business owner. You’re up on the latest technology. You’ve forked over a nice sum of cash to improve your technology infrastructure. You have bright people in your IT department overseeing your cloud platform, your website and the mounds of data stored on your servers.
And you know all about keeping that information safe, too. You know there are people out there who would love to steal your sensitive data, or inject a virus into your system just for kicks. So you’ve invested in security. You have the latest and greatest when it comes to antivirus software and firewall protection, and it’s all password-protected. You sleep well at night.
That is, until someone sidesteps the software and scales the firewall. Then, you have a problem. And no matter how sophisticated your security measures are, you run the risk of encountering a hacker who is even more sophisticated.
“I’ve been in this business for a long time, and I’ve talked to a lot of longtime security professionals who think they have it all figured out,” says John Bruce, CEO of Co3 Group Inc., a Cambridge, Mass.-based provider of incident response technology for data systems. “But what they’ve really figured out is the prevention and detection aspects of protection, keeping intruders out and detecting them if they break in. But what happens once they get in? Not a lot of businesses focus on their response plan.”
If your company possesses any type of sensitive personal data regarding your customers, you are a potential target for hackers. Even if you don’t possess data that could be compromised, you still run the risk of Internet vandalism, which can often result from opportunity.
“That’s why we encourage our clients not to spend all of their resources on prevention,” says Ted Julian, Co3’s chief marketing officer. “Firewalls and intrusion detection systems can be compromised. You need to balance your investments among prevention, detection and response.”
Building a response plan
Responding to a data breach is no different from responding to a catastrophe in the physical world.
“You respond, remediate and educate,” Bruce says. “It’s no different than what police, fire or EMS might do in an emergency situation. You just emulate it and apply it to cyber security.”
In responding, develop a detailed plan of action and which parties within your organization hold what responsibilities. Remediation involves carrying out those responsibilities. In the education phase, you use what you’ve learned to teach your people how to prevent a similar situation from happening again.
Responding to a data breach should involve representatives from every area of your company. No matter the size of your work force or the nature of the work you do, every department will have a hand in the immediate response, remediation process and aftermath.
“It’s a good idea for any business to have a breach response team,” says Lori Nugent, chair of the National Data Security and Privacy practice at Wilson Elser Moskowitz Edelson & Dicker LLP. “It should involve someone from legal, someone from HR, someone from IT and PR, risk management — any operating unit that uses sensitive data. Not every department will need to be involved in every aspect of the response process, but it is necessary to have an enterprisewide approach.”
Don’t just dump everything on IT. While those people are your resident tech experts, your IT specialists often cannot bring a comprehensive view to data security because that’s not their job.
“IT’s job isn’t to respond to a breach,” Nugent says. “Their job is to keep your computer system functional. They’re often not up to snuff on regulations that state governments might have regarding notification to affected parties if a breach takes places. Many states have regulations requiring you to notify your customers if their data has potentially been stolen from your system. IT probably isn’t going to know that.”
In addition, it’s wise to involve a third-party forensic specialist in the event of a data breach — and it’s important that the forensic specialist be a third party with no ties to your company or IT department to sidestep any potential conflicts of interest.
A computer forensic specialist can take virtual snapshots of your system as it looked in the immediate aftermath of a breach, which becomes a critical step should your company face litigation.
“Forensic specialists are often not brought in until it’s too late, until after the cleanup and repair has begun and critical data has been altered or destroyed,” Nugent says. “And that can be a major problem if it becomes a litigation situation.”
Communicating with employees
Since the proliferation of wireless Internet devices — and particularly, since the widespread adoption of cloud-based data services — the concept of “going to the office” has changed.
Employees now take their work with them wherever they go. Your team members are capable of fielding an email at lunch, reviewing a report at the park and accessing records at their child’s game or dance recital.
But for all the convenience and flexibility that mobile devices, tablet computers and cloud-based services provide, they also create many access points for sensitive data — access points that can make easy targets for thieves. As such, you need to educate your employees about how to properly handle sensitive data and the devices that provide the gateway.
“You have to explain the expectations of the company with regard to keeping data secure,” Nugent says. “If you take a bunch of steps to beef up your security software but you don’t educate your employees on properly securing data, you’re missing the largest cause of data breaches that we see.”
All the data security measures in the world won’t matter if an employee leaves a laptop on an airplane, or leaves a backpack with a device that contains sensitive material on a bus or subway platform.
“That’s where the expectations come in,” she says. “Make sure you are clear about what can or can’t leave the office. If you don’t want an employee to take a sensitive spreadsheet home in the evening, make that clear. Give your employees well-defined instructions regarding what they can and can’t do as it pertains to handling sensitive data.”
Deliver those instructions during the employee’s initial training, in the form of a written security plan that the employee can access as a quick-reference guide.
“Any company that handles customer data, such as medical records or credit card information, should have a written data security plan,” Nugent says. “It should be a basic training document, and a lot of government regulators will expect a company to have that type of document on file. It should outline employee procedures, your breach response procedure and your procedure for complying with any notification requirements for customers.”
If you allow your employees to set their own passwords to your servers and cloud-based networks, make sure they’re difficult to guess. The names of children, pets, sports teams and alma maters might be easy to remember, but they’re also easy to crack.
“Utilize numbers and nonletter characters,” Nugent says. “If you’re going to use a pet’s name, for example, use the name plus a number plus a character. Any password can be cracked. They don’t stop hackers, they merely slow them down, but don’t make it easier on them by using an easy-to-solve password.”
Ultimately, the goal of the steps you take is to make sure your management and your employees are all on the same page regarding data security.
Here are some other tips to keep you data safe.
- Use encryption. Any customer data in your system should be disguised through encryption software. It won’t prevent breaches, but it will make the data virtually useless if it falls into the wrong hands.
“In many jurisdictions, you don’t face notification requirements if the data is encrypted,” Nugent says. “The cost of encryption has gone way down, so it’s a good investment, considering the devastating price you could pay if you don’t use encryption.”
- Perform regular data purges. If you no longer service a customer, that data doesn’t need to be in your system anymore.
“If you have unencrypted data and it’s stolen in a breach, you often have to notify every single one of the customers involved, even if you haven’t done business with them in years,” Nugent says. “This isn’t just a matter of protecting the data of current customers.”
- Know where your valuable data is stored. It seems like common sense, but many business leaders couldn’t tell you the location of some of their company’s most sensitive data.
“With the proliferation of cloud applications and third-party data storage services that store your information offsite, a lot of companies have no idea exactly where their data is housed,” Julian says. “That can really complicate matters in the event of a breach.”
- Consider cyber insurance. It’s affordable, and it can make a huge difference in the financial damages you suffer in the event of a data breach.
“In many of the situations I’ve seen, having that coverage has meant the difference between a company emerging from a breach just fine, and a company suffering so much cash flow damage, it barely survives,” Nugent says. “It can cost up to $15,000 to respond to a data breach, even in the smallest scenario.”