It seems that experiencing a data breach is no longer a matter of “if” but “when”. According to the US Government Accountability Office, there were about 13,000 federal data breach incidents in 2010. In 2011, it rose to 15,500 — an increase of 19 percent. The amount of personal information compromised through data breaches was on the rise in 2011. According to the Privacy Rights Clearinghouse, about 30 million records were compromised in 2011 in 535 separate breaches in the United States. That’s up from 12.3 million in 2010. And things haven’t stopped in 2012 as organizations all over the world are suffering major breaches.
Odds are your organization will have some type of incident at some point in the future. Think about this the same way you look at having a fire. You try to minimize the risk by putting certain plans and technology into place. You have a fire escape with a defined exit plan to get people out of a building. You put in smoke detectors and sprinklers to warn people and help extinguish the fire. You have alarms to alert people and call the fire department. You have insurance to manage any damage.
Here are some tips to manage the risk of a data breach:
- Ensure policies and procedures cover data protection and breach management. You need a written policy governing protection of important information, including personal identifiable (PII) information, and the steps to take when a breach occurs.
- Keep your software updated. This includes security patches and updates for all your server, desktops, laptops, mobile devices and networking systems, such as firewalls. This helps reduce the risk of attacks.
- Train employees on data security and managing risk. Everyone needs to ensure that confidential data is handled with care. Just like people know to lock the door to your office, they should “lock” their data.
- Encrypt data and documents. This is the easiest way to prevent problems. Apply file level encryption to all documents that contain anything confidential or personal.
People overlook this last one, yet it may be the best defense against a data breach. If critical information is lost, the loss is not as much of a liability if the information is encrypted. According to data breach laws in the US and around the world, if data is encrypted, the organization does not need to report the breach. Many of the breaches in the last few years were of information that was in plain text.
Encrypting the data as its stored is important, but keeping control while someone is accessing it is even more important. If I download data from my financial system into a spreadsheet, I need to ensure the document is encrypted and that I control who has access to it. The only way to do that is by applying a persistent security policy that guarantees that I control the document no matter where it is and what format it’s in. If a hacker gets the document, it’s useless to them, since they can’t see what’s inside.
Data breaches can be very damaging to organizations because they threaten finances, reputations and customer loyalty. You need to prepare for them with good policies, a trained workforce and some good encryption technology. A little planning and prevention can avert a major disaster.