On the east coast of the United States, we are entering the hurricane season. Businesses, some still feeling the wrath of Hurricane Sandy from October 2012, are thinking about disaster recovery plans and procedures. And while that is good practice, a bigger threat, one that is not restricted by weather patterns, looms on the horizon: data or cyber security breaches.
Virtually every week, news of data breaches lands on our doorsteps and we can all only hope we are not one of the effected. The more data that is being maintained by companies, big and small, and the more the data travels around the globe, the greater the likelihood that the data will be intercepted to be sold and manipulated for someone else’s benefit, and cause significant mayhem to those who are impacted. We all contribute to the data pool every time we make a purchase or engage in a transaction that is stored electronically. That is why one of the first places to secure is your company’s payment process (think Target, EBay, Adobe, Heartland, TJ Maxx).
What kind of data are we talking about? Pretty much, everything about your customers: their name, social security number, phone number, driver’s license number, home address, email address, credit card numbers, bank accounts, passport number, health information, insurance information, credit rating, medications, their pet’s name, their mother’s maiden name, and yes, probably even their favorite color. This data is considered Personally Identifiable Information (PII), and can be all “good” information to create a false identity. While nothing is full-proof, there are steps that companies can implement to lessen the risk of data theft.
Step 1: Get to know your data. Define the type of data being maintained and categorize it. Some information is mundane while some is highly sensitive, personal, and/or private. Think about what kind of information you are capturing, what you are doing with the information, and where that information exists. These are important questions to ask and get answers to. I like to think of data as a child: where are you going, who are you playing with, who are you talking to, what are you doing, and when are you coming home (hey, I’m a mom). Your data does not only exist on your company’s server. Lots of highly secure information is sent via email and more winds up on a cell phone. More often than not, it is sitting on someone’s desk in the form of a report. Once you know all about your data, a best practice would be to develop a policy that specifically defines what kind of data is deemed sensitive, how it is to be protected and accessed, and who is permitted to access that information and what kind of access can be performed (i.e. read only, update, delete, add, and print).
Step 2: Secure your data. The most common cause of a data breach is hacking due to some sort of security compromise. Yes, there are lots of evil techies from across the Atlantic looking to find holes in the security infrastructure of a company and pilfer the data. These are the typical villains we think of, especially since we hear that they are difficult to find and apprehend as they are not bound by the legal jurisdiction of the United States. But external threats are just one of the risks of a weak data security system. Leaving the gates open increases the opportunity for internal staff to take information and misuse or abuse it. Some of the recent big data breaches were caused by employees of the organization, either for malicious intent or just sheer negligence (e.g. accidentally releasing information). Many other breaches were caused by stolen laptops, memory sticks, or cell phones. It is not enough to password protect hard drives. Data should be encrypted to ensure confidential information is not hanging out in plain text for all to read. This is especially true when a transaction occurs, such as a purchase.
Step 3: Watch your data. Monitoring your system’s activity on a regular basis will allow you to establish criteria for unusual activity. IT monitoring software can provide alerts in real-time for unusual activity occurring both internally and externally such as a large number of documents printed, files being copied to a USB drive, a Dropbox account, or burned to a DVD, key applications that are being accessed after hours, or spikes in usage at odd times.
Step 4: Make a plan. Develop a security breach policy that details what the organization will do in the event a breach occurs. The policy should detail how management will notify individuals whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. It is important that the disclosure be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. If your organization maintains PII (it is hard not to have such information), especially data that contains health or medical information, you are required to have such a policy. Adopting the policy, along with educating your organization’s employees on proper protocols for protecting PII, is needed to ensure employees understand their legal obligation to notify affected individuals.
Step 5: Consider insurance protection. Cybersecurity insurance is designed to reduce losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. Not too long ago, most business executives focused on purchasing typical business insurance policies that would cover losses due to a fire or theft of computer equipment. With the deluge of cyber security attacks, more companies are determining that the information kept on those computers, from customer health records to credit card data, is just as valuable and could be just as costly to the bottom line if lost. As with any insurance policy, it is best to carefully read what the policy does and does not cover.
If you believe that your company is immune from some level of a data security breach, then you may be setting yourself up for a disaster that you could have prevented.
Shari Diamond, CIA
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.