Welcome to CSI Onsite’s blog page, we’re so very glad you joined us. In this post we continue with part two of a blog that started last week entitled Data Breach in which we discussed this very destructive and prolific cybercrime.
Just in case you didn’t catch the previous blog allow me to share some startling statistics to set the context for the seriousness of this particular issue. January through April 2014 saw more than 300 publicly disclosed data breaches within the United States. The result was more than 51 million records being compromised with much of this data used for identity fraud. The consequences from such breaches in corporate cyber-security can have devastating consequences.
Organizations ranging from retail outlets to call centers, insurance companies to medical clinics, and government agencies all the way to churches can all collect personal information that more than likely will be stored electronically. In other words, the possibility for data breach exists with any company that works with your personal data. That’s why understanding cyber liability in the nature of data breach is paramount in creating a data security procedure. This applies to both individuals as well as organizations.
Fret not my friends, there is a light in the darkness… I had to stop myself there, was getting a little too sappy. There are steps an individual or a corporation can take that will greatly reduce the probability of a successful data breach. Let’s explore some of the steps, shall we?
Data Security Procedure
For an individual, your DSP can be boiled down to how I protect my personal data & if I suffer a data breach/identity theft what steps will I have in place to deal with this breach? Creating and enacting a data security procedure is paramount for any organization that works with personal and identity types of data. It behooves any upper level leadership from CEO to church administrator to work with a trusted IT professional to develop and deploy a corporate data security procedure to ensure maximum possible protection for all of the personal data they use to carry out their business.
As you read through this brief post you may discover that I don’t actually tell you exactly how to create a corporate DSP. That’s by design. Because the consequences resulting from identity fraud can be painfully expensive, far-reaching and long-lasting it is vital that you work with a professional to create a procedure protecting your data. This is not a procedure where you want to cut costs, save time and “get’er done.” Definitely, most absolutely, not a DYI project. Are you catching my drift? Don’t do this on your own! Get help!!
Of course CSI Onsite would love to partner with you to create a robust data security procedure. If you would like to partner with us, give us a call and we’ll get the ball rolling. Until then, look with me through the following paragraphs to understand the considerations involved in creating an executable DSP.
Classify Data
One of your first steps in creating a DSP is to classify the data that you gather and store. So a thorough and accurate review of all your corporate data is in order. And if you come up with different data classifications, each classification will need a corresponding security level. That is to say that the security level is determined by the resulting consequence if this data was stolen.
Another part of classifying will be to determine what the accessibility need is for the different types of data. For example look at the following list in correlation to the data you collect and determine the answers to a lot questions (who, what, when, why, and where).
Does Data need to be accessed:
-Onsite
-Online
-Offline
-In-house
-By a vendor
-By other organizations
-On a Mobile device
Storage Location
An organization will also need to determine where gathered data will be stored. Determining the location of critical data may also help determine the method of data storage. For example, part of my backup procedure on my home office machine involves off-site, cloud, and on-site locations. Thus I use the Internet and patch cables as my method(s) of data transfer.
Network Protection
Since most organizations operate within a computer network it’s important to ensure that this network is secure. There are number of ways to skin that snake. At the very least your network needs a high quality firewall that will meet the criteria of your security needs. A method of encryption is also necessary to provide solid network security. Again this kind of project does not fall into the domain of DIYer’s, if they do not know what they are doing the possibilities of a massive shut down, data loss, or a data breach are very high.
Workstation & Device Protection
It’s hard to believe that in this day and age computer users still need to be told that quality, reliable antivirus software is a must. This applies to laptops, mobile phones, tablets, as well as any device that will have access to stored critical/personal data. An outside the network user may inadvertently bring in a Nasty completely circumventing your network safeguards.
Storage Plan
Now you’ve reached the stage in creating a DSP where we will determine how and when you will store your data. Some of what I’m referring to here does happen in real time, some will happen in a redundant system at scheduled times, reproducing over a network or VPN tunnel to an off-site location. That’s part of a different plan (Fault Tolerance Plan) to need to create, which we will not take the time to discuss in this post. In this step you are also working with established backup procedures in determining which type of data will actually be allowed to travel or be stored/backed up for recovery or use.
Guidelines for Access of Data
I’m sure most of you have read in the news of companies that store personal data who have had unauthorized employee access incursions. In June of this year AT&T revealed that three vendor employees accessed personal data of AT&T’s customers. Some of this access can be made much more difficult for unauthorized personnel to achieve by simply stating and enforcing data access guidelines. Determine who needs to access customers’ data and what types of personal data do they need to access to serve your customers. You may also need to determine which data can be accessed off-site depending on your type of organization or business model. If you’re saying to yourself “We don’t know how to do that”, give us a call because we do. And we’d love to assist you.
Test the Procedure
It will take some time to develop and deploy, but it will be worth the time it takes in the hard work involved to create a data security procedure. Once you have all of this in place you can begin to test the procedure. Test the security vulnerabilities of your fire wall, your device protection, your processes and procedures for data gathering and storage, and then test your fault tolerance/backup plan. In carrying out these tests you should be able to determine whether or not you can actually protect personal data. You will also have an opportunity to see if your restore/back up procedures are adequate should you lose your main access to this data. Once you feel like all of this has passed the test then you can roll out your DSP to your staff so you can train them to succeed and meet expectations protecting this vital data. Then you can roll it out to your customers and to the public… You and your company will look like rock stars!
What to Do if Data Breach Occurs
Finally, determine what has to take place if your company/you are the victim of a data breach. Again it is important that you work through this procedure with a professional to cover all your bases. That being said, a few words to keep at the forefront of your data breach procedure are: Integrity, Immediacy, and Involvement.
Integrity. Be upfront with your employees, with your shareholders, and your customers. The company will already be in a little hot water because of this data breach. Not being open and upfront with your customers will only exacerbate the integrity dissonance they may be feeling. There’s no need to be an idiot about it; they don’t necessarily need to know every single detail of the data breach. But they will want to know that you’re on their side and you doing all that you can to protect them and their identity.
Immediacy. As quickly as you have clear and accurate information to pass on to your employees and to your customers, do so. Let me say that again. Ensure that you have clear and accurate information that you can give out to your employees as well as your customers. Part of working through the DSP will be to determine timelines for sharing information like this. The professional you work with will have an understanding of security considerations, legal issues, and other aspects that most people aren’t aware of so this will determine exactly how quickly you can wisely disseminate information.
Involvement. This is somewhat interrelated with the other two words integrity and immediacy. You will want to identify ahead of time a professional who can help you manage your recovery from a data breach and identity fraud. You’ll also want to determine which employees will be involved at different levels of the recovery efforts. We also recommend you involve (in the very wise manner) the people whose data your organization has gathered and stored.
We hope this is a helpful post to allay some of your fears in dealing with data breaches and cyber liability. As I stated in the beginning dealing with a data breach and creating a solid data security procedure is tantamount to excellence and success as an organization; thus requiring a dedicated, skilled, and trustworthy IT professional to work with you and your organization to create such a procedure. Depending on the type of business or the type of organization you’re involved with you may also need to involve security professionals. All that to say it will be worth the investment for you and your customers to create a data security procedure and all that it entails.
If we can partner with you to carry out such a project please contact us to set up an appointment, we welcome the opportunity to meet with you and determine if we’re a good fit for this project.