The sheer volume of data most businesses now handle and the many routes through which it flies across the cloud mean every organization using, storing or transferring data of any kind is vulnerable. Privacy breaches, fraud and blackmail are among the potential threats. Who hasn’t heard of the hospital blackmailed by a virus that encrypted its data – literally holding lives in its hands until the ransom went through? The question is not if but when you will be hacked, according to John Leek of NetStandard.
That’s no reason to run and hide, says Leek. But you do need to have a three-pronged plan to:
- Protect your data
- Handle a breach
- Insure yourself
Step 1: Protect Your Data
Every organization needs a comprehensive plan for protecting its data from both technical and physical breaches. On the technical side, that includes:
- Risk Management: Identifying issues, assessing key risk areas, measuring the likelihood of the risks and ranking them.
- Risk Mitigation: Designing a process to reduce the risks you’ve identified. This can include defining staff roles and separation of duties to ensure planned redundancy and avoid conflicts of interest. It also should include technical solutions for securing all devices accessing your data – including mobile devices and those controlled by contract and remote workers.
- IT Control Testing: Once you have risk mitigation plans in place, it’s important to test them with vulnerability scans, penetration testing and testing for physical and phishing threats.
It helps to have a strong IT governance structure to manage this process over time. And ongoing employee training is critical. According to Leek, two of every 1,000 targets fall for spear-phishing attacks, sharing personal information or downloading a file that installs a bot on your computers!
Don’t let the focus on data breaches stop with technology, however. Old-fashioned physical breaches such as mishandled files or an unauthorized person entering the workspace are still a threat, too.
Step 2: Plan Your Response
Once you have a protection plan in place, you can sit back and relax, right? Not exactly. As John said at the start, the question is not if you will be hacked but when. You will want to have a plan in place for responding to a hack, too. That includes planning how you will recover your data and how you will communicate with and take care of your stakeholders – customers, leaders, staff, the media and the general public.
Step 3: Insure Yourself
According to Leek, the average cost of a data breach is nearly $1 million. And that number may not reflect the implied costs to your reputation among your constituents and your community. Insurance is available to cover the cost of a breach on your network. It can include incidents such as:
- Malware attacks
- DDOS attacks
- Phishing schemes
- Insider data breaches
- Malfunctions leading to accidental disclosure
- Breaches caused by employee error
Look to your insurance broker to help with any of these critical data protection strategies. After all, who can disagree with Ben Franklin: “An ounce of prevention is worth a pound of cure.”
By Pat Murphy
President – Commercial Division