As businesses become increasingly reliant on electronic systems to store industry and consumer data, the incidence of catastrophic “hacks” or “breaches” continues to climb and grab headlines. A report issued last week  analyzed 200 data security incidents occurring in 2014 and found that incidents affect all industries but occur more frequently in the healthcare, retail, financial services, professional services, real estate, and education sectors. Professional services, health care, and retail top the list in terms of severity.
The top five causes of data security incidents are:
- Employee negligence;
- External theft of electronic storage devices;
- Employee theft;
- Phishing; and
The large number of incidents resulting from employee negligence serves as a caution to businesses who believe that security risks can be eradicated through use of improved technology alone. Importantly, last week’s report concluded,
Companies much match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right ‘tone from the top’ and appropriate security policies and procedures.
Rapid Detection Is Essential
More than half of data security incidents investigated by forensic firms are not self-detected by companies. If a business does not self-detect or is slow to detect a data breach, the business:
- Loses the opportunity to block the attack before it accesses critical data;
- Is slower to mitigate potential harm to the company and its clients/customers;
- Cannot offer reassurances to affected individuals about the scope of the attack; and
- Risks adverse publicity about the incident.
Once a data breach has been discovered, such an event presents the opportunity to respond. A company’s response may be critical to both minimizing damage and ensuring its survival. Mitigation efforts, such as credit monitoring, serve as an opportunity to restore a company’s relationship with its customers. Notification letters or postings may serve to reduce the occurrence or scope of litigation. The report found that in 75 incidents where notification letters were mailed or posted, only five of the companies were sued by victims of the incidents.
There are a variety of efforts that businesses can undertake to prepare themselves to handle a data security incident. The first step is to develop an incident response plan. This plan should include an analysis of all applicable systems, as well as conducting personnel training and awareness. Security consultants are able to conduct security assessments to understand where sensitive data may be located and which assets may be targeted. The company must then implement security and detection capabilities based on the recommendations of the security consultant. These measures will only be as effective as the employees closest to potential incidents. Appropriate training will reduce the chance that an incident will result from employee error. Training and analysis must also consider access provided to the company’s vendors, third party contracts, and business contacts. As the methods behind data breaches continue to evolve, so must a business’ ability to adapt to changing risks. Any incident response plan must include ongoing diligence and built-in proactivity.
Creating the right “tone from the top,” involves the following actions:
- Forming a risk committee;
- Engaging cybersecurity consultants;
- Obtaining and reviewing risk assessments;
- Evaluating corporate structure to potentially include a Chief Privacy Officer;
- Chief Information Security Officer, and/or Chief Risk Officer;
- Bolstering privacy and security budgets to ensure sufficient resources are available to protect against and respond to incidents; and
- Assessing the availability of cyber insurance coverage.
Data security incidents in our current business climate are virtually inevitable. It is essential that businesses prepare as if a cybersecurity breach is imminent. Developing an incident response plan, thoroughly evaluating existing assets, and providing employee training are immediate steps a company can take. The relative costs of a strong cybersecurity plan, coupled with sound workplace policies, can provide businesses with peace of mind, allow for prevention and early detection, and ultimately minimize potentially devastating consequences of a data security incident.