You will experience a data breach. Most of us will take a wait and see attitude and try to do what we can to make this less likely. If you ask IT or an executive in many companies, they assume they have nothing valuable to steal. Organizations continue to think no one is targeting them and if so, it won’t happen to them. Unfortunately this is not the case. It is no longer a matter of “if”, but “when”.
I had a conversation recently with a small manufacturing company and asked the CFO what type of information they keep and what they share with customers and business partners. The company makes machinery for the oil & gas industry and has drawings for parts and manufacturing process information. This information is valuable to them, but they didn’t think anyone would hack them to get it. They figured that someone wanting to steal this information would go after their larger competitors.
I asked about company turnover, especially in the engineering and manufacturing departments. The business is fairly specialized and there is a lot of tribal knowledge in these groups. Turnover in manufacturing is about 10% annually and less than 5% in engineering. I asked if there was anything preventing an employee from taking drawings or manufacturing process documentation with them when they left the company. They told me about their document controls. All printed drawings are in a locked room and electronic versions are stored in a document management system. Whoever needs access to do their job can get it. So if someone wanted to walk out the door with this information, they could. I asked the CFO if she was concerned that someone could sell this information to a lower cost manufacturer in China and underbid them with their customers. You can guess the answer.
Next I wanted to understand what type of customer information they kept. They build and ship equipment worldwide and have a lot of sensitive customer information on oil and gas locations, potential energy yields, extraction processes, etc. Executives started realizing how devastating it could be if this information walked out the door. They and IT were only focused on hackers getting in, but they need to start thinking about an employee deliberately or accidentally leaking this information.
Lastly I asked about personal and financial information. Like many companies they outsource benefits processing and payroll. They send spreadsheets with employee information to service providers. I told them of a recent case where an outsourced financial provider mistakenly sent a spreadsheet with employee information to the wrong company. They wanted to verify information with one of their customers and accidentally sent it to another. Unfortunately the owner of the data is also liable for a data breach, not just the service provider.
As this manufacturer learned, they are a lot of ways sensitive information can leak and cause financial and legal woes. Here are four steps to help reduce the risk of losing information and experiencing a data breach.
- Identify Sensitive Information – classify sensitive information, mark it appropriately and restrict access to it. This includes information you share outside the company.
- Persistent Security – encrypt documents and apply a persistent security policy to them so you are always in control of the information, no matter the location. This also lets you kill access immediately if needed.
- User Rights – examine user accounts to identify excessive rights and inactive accounts. Make sure users only have access to the data they need to do their job.
- Analyze Activity – monitor data access to see usage patterns. Watch for excessive access to sensitive data, off hours access and failed login attempts.
Data breaches can be very damaging to organizations because they threaten finances, reputations and customer loyalty. It’s important to keep the bad guys out, but you also need to make sure that a trusted insider isn’t compromised. It’s time to turn the mirror around and see how to avert a major disaster.
Photo credit Katie Brady