One of the problems of implementing security is that people perceive it as an inconvenience. People always take the path of convenience because it’s easy. Many years ago no one locked their doors because we weren’t worried that someone would come into our house and steal anything. Over time that thinking changed and we all lock our homes and businesses before going out.
Many organizations think about data security and cybersecurity the same way. While no one questions locking the doors to the office or manufacturing plant, some don’t think about locking all the doors to their sensitive information. A common approach is to merely check the boxes to be compliant with a regulation or standard, but don’t think about the unique situation of your company.
A great example is the Target data breach a number of years ago. The company was fully PCI compliant, which meant they checked all the boxes to protect their data, according to the standard. Unfortunately they were attacked when someone hacked into their point of sales systems and copied millions of customer data records to locations outside the company. In this case they were compliant, but not secure.
Another area of concern is file sharing services that offer limited security to control file access. These may be consumer grade and perfectly fine to share pictures and school reports, but do not have the type of controls needed to protect sensitive business or customer information.
Minimizing cybersecurity threats and the damage they can cause requires organizations to develop and implement a cybersecurity plan. This includes discovering what sensitive data you have, determining where it is and deciding how to protect it. You need to limit data and system access to authorized users and ensure that you can account for any access to sensitive data with a complete audit trail.
Some of the new regulations and data breach protection laws may give guidance on how to protect your sensitive data. The recent financial industry cybersecurity regulation in New York (NYS DFS 23 NYCRR 500) stipulates that financial organizations doing business in New York must encrypt all nonpublic data at rest and in transit. They also must ensure access control to only authorized users and provide an audit trail to prove who had access to that data. This also applies to third party service providers that may have access to this information.
Daily data breaches and their consequences are now priority at the board and executive level. The NYS DFS regulations hold senior executive responsible for ensuring they comply. The new US presidential administration has talked about making cabinet secretaries and agency heads responsible for their agencies cybersecurity.
It’s time to get serious about protecting your information. Implement solutions that cause minimal disruption to your business but give you the protection you need. Train your staff so they understand the value of security in their everyday lives. Always choose security over convenience when sensitive data and privacy might be at risk.
Photo credit Yudis Asnar