Michael Bruemmer | Corporate Compliance Insights
By now, most executives probably realize that cybercrime and cyber-espionage are very real threats to their organization. But do they realize the extent of financial devastation that can be caused by a data breach?
U.S. companies lose about $250 billion every year due to the theft of digital information, according to the National Crime Prevention Council. Internationally, companies lose $114 billion annually, but that number could leap to $388 billion if time and lost business is included in the equation.
For an individual company, a data breach costs an average of $5.5 million or $194 per breached record, according to the 2011 Cost of Data Breach Study conducted by Symantec Corp. and the Ponemon Institute. The study excludes data breaches with more than 100,000 records.
Perhaps even more startling is stats from Neustar Inc., an Internet infrastructure company that advises the White House on cybercrime. Neustar reports that out of 168 companies surveyed from the Fortune 500, 162 have suffered a data breach. Even worse, the FBI estimates that for every company that’s been hacked into, 100 others don’t even realize they’ve been attacked.
The alarming increase in cyberattacks, which will inevitably continue to rise, should be a wake-up call for organizations. Although no organization can completely shield itself from a data breach, there are steps you can take to preserve the integrity of your brand and the loyalty of your clients, patients, employees or residents. Here are six tips for building a solid data breach prevention program.
1. Develop a comprehensive plan
Just like a fire evacuation or earthquake plan, a data breach preparedness plan should consist of a team of players from human resources, IT, legal, the C-suite and any other department involved with data management – especially sensitive data.
The plan should clearly state each individual’s role in managing a data breach and should be practiced at least once per year to make sure everyone can execute the plan correctly. Having a preparedness plan will not only help you avoid chaos, but it will show everyone that you’re proactive and ready in case your organization is slammed with a breach.
2. Partner with expert outside professionals
Partner with experts such as a breach resolution provider, legal counsel that specializes in data breach, a forensics team and PR firm. A qualified breach resolution provider can help you notify clients and provide customer service. The legal counsel can help with any possible litigation, a forensics team can help clients investigate fraud and a PR firm can handle how the breach is presented to the public and in the media.
The breach resolution provider can also help with compliance issues and offer identity theft protection and credit monitoring services to your clients. Organizations that offer identity theft protection and credit monitoring usually maintain the trust and loyalty of their clients.
3. Use the best security software and technology
If you can afford it, hire a chief information security officer (CISO) to implement the best security software such as spam filters, firewalls, anti-virus, anti-spyware and reputation services programs. The CISO should also watch for programs that offer automatic updates and free patches to repair problems. A CISO can save an organization as much as 35 percent per comprised record, according to Ponemon. Otherwise, have someone from your IT staff take on these responsibilities.
If you don’t have the manpower to keep current on the latest technology, you may want to hire a data security vendor. Security vendors can go beyond traditional software programs and conduct audits to determine your risk for phishing and data breach. They can also run other tests to see if any of your data has been extracted outside of your organization. And, as experts, they should be able to provide technical support for the latest technology.
4. Educate employees and establish procedures
Although many breaches are caused by sophisticated malware, negligent employees are still the number one reason for data breaches. So, besides having the newest software and technology, you should educate your employees regularly. Employees should be suspicious of emails with generic salutations, typos or those that try to create a sense of urgency. They should be reminded not to open attachments they’re not expecting and to be cautious of links. You may suggest that they type the address directly into their browser to visit a website, instead of clicking on a link.
Most organizations already have policies governing employee exit strategies, data storage protection and safeguarding remote data. Highly regulated organizations also have policies regarding government compliance. The key is to enforce these policies so everyone knows how important they are to the survival of your organization.
5. Become a minimalist
Don’t collect data that you don’t need and safely purge data that’s no longer necessary. Also, reduce the number of places where you store data and restrict the number of employees who have access to sensitive data.
6. Add cyber insurance to your safety kit
Cyber insurance should be included in your breach preparedness plan, as it could save your organization hundreds of thousands, if not millions, of dollars. A thorough policy would include the cost of lost business, notification costs and credit-monitoring services. It should also cover public relations, legal and investigative expenses.
With data breaches increasing in both frequency and severity, cyber security should be on every organization’s radar screen. It may be wise to prepare for a data breach the same way you would prepare for a fire or earthquake. After all, chances are you’re more likely to suffer from a cyber-attack than from a natural disaster.