50 million records at Facebook, 500 million at Marriott, and 143 million accounts at Equifax were all compromised from recent breaches. A breach at Quora exposed 100 million accounts. Other breaches have hit LinkedIn, eBay, Target, Yahoo, and Anthem in the past few years.
In the past five years, more than 14.7 billion records have been lost or stolen due to data breaches.
Deploy Strong Security Technology
Cyber security needs to be a top priority in any business handling sensitive data or personally identifiable data. Traditional security such as firewalls, anti-virus software, and intrusion protection provide a base level of protection, but it’s only the start. A layered security approach using real-time monitoring and alerting is critical.
Less than 5% of the data exposed in breaches over the past five years was encrypted. Encryption dramatically decreases your exposure from both a technical and legal standpoint. Military-grade encryption can prevent the data from being read even if cyber criminals manage to breach your systems and get it.
Breaches can occur when software hasn’t been patched or updated regularly. The breach at Equifax that exposed credit card records happened when attackers exploited a known flaw in the company’s Apache-Struts web application software. The breach happened months after the software manufacturer reported the problem and offered a patch. Equifax hadn’t gotten around to installing it. If they had, the breach likely would never have happened.
You need constant monitoring for intrusions and unusual activity.
Train Employees on Security
93% of data breaches begin with phishing attempts. Cyber criminals send legitimate-looking emails in an attempt to obtain login credentials, passwords, and sensitive information. While software solutions can help filter email phishing attempts, employees need to be trained to recognize them to avoid falling victim. You can have the best security systems, but if an employee gives up their login and password, cyber thieves may be able to bypass your security.
Your employees are your weakest links. Cloud-based storage, mobile devices, and more employees mixing company-owned and personal devices for business open up more potential access points. Employees need to know how to detect threats and avoid data leakage.
Companies should have clearly defined security policies.
Maintain Strict Compliance
The Payment Card Industry Data Security Standard (PCI DSS) governs security protocols and standards for anyone handling credit card information, including use and access. The Health Insurance Portability and Accountability Act (HIPAA) regulates access to personally-identifiable health and medical records. Sarbanes-Oxley (SOX) deals with controls on financial data by corporations.
There may be additional standards within your particular industry. Compliance may include security measures and reporting, but each sets measurable standards for protection.
Pay Attention To Emerging Regulations
Security breaches are bad enough. New privacy laws are increasing the responsibilities for data protection and increasing the penalties for when breaches happen. In some cases, they mandate pro-active actions you must take to ensure security and actions you must take immediately on discovery of a breach.
The General Data Protection Regulation (GDPR) enacted in the European Union impact companies located in the EU as well as companies doing business with EU residents. Several U.S. companies have already been fined for failing to comply with strict regulations on privacy and data protection.
California’s Consumer Privacy Act (CCPA) provides additional consumer protection and privacy rights. It takes effect in 2020.
New legislation is being proposed regularly that makes the penalties for non-compliance high and may affect your IT policies, procedures, and staffing.
Conduct Security Audits
It’s important to regularly stress tests your systems. At a minimum, you should conduct security audits to make sure you are maintaining your established level of protection. Many companies conduct penetration tests with outside agencies to find weaknesses in their security.
Other companies use security audits in their training by identifying weaknesses and putting their team through the paces to identify and fix security threats while managing the business impact.
Develop A Disaster Response Plan
Every company that handles sensitive data or personally identifiable data needs to have a pre-established data breach response plan. Roles and responsibilities should be spelled out in case you ever have to manage a breach.
It should include all levels of company management and not just IT professionals. In addition to repairing the damage to your systems, you also need people that will be responsible for managing your company’s reputation and business impacts.
This plan may be part of complying with regulations. It’s part of the GDPR, which has formal procedures you will need to enact within 72 hours of detecting a breach. This includes notifying the appropriate government authorities and informing all of those affected.