BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
The IBM X-Force team is one of the most renowned commercial security research teams in the world. As data breaches become more and more prominent around the world, the X-Force team has been at the forefront of research.
Every year, the X-Force team assembles a chart showing each data breach as a bubble. The bigger the cost, the larger the bubble. Since 2011, when IBM first tracked data breaches, the sizes of the bubbles have grown larger and larger each year.
The chart is just one of many reports that have picked up on this growing concern. As the number of overall breaches is going up — the Online Trade Alliance reported a 18.2 percent increase in 2017 — the cost of these breaches has been following suit, costing companies millions of dollars.
The majority of data breaches happen for one of two reasons: human error or preventable exploits in connected devices.
Human errors usually stem from untrained employees allowing access by a third party — unknowingly or otherwise — to a company’s system. This access could come from phishing emails or malware from an ill-advised download.
Exploits are sometimes out of a company’s control, but those companies may have left themselves vulnerable by not installing the latest patch updates for their systems.
No matter the reason, data breaches can have an enormous cost, both monetarily, as I outlined above, and in lost trust and reputation, which is harder to quantify. Data breaches are brought up a lot in these blogs and in technology conversations, but it remains as important as ever to understand what your company can do to prevent and respond to breaches.
Preventing data breaches
Some data breaches may never be preventable, but being proactive in protecting against them can only help your chances. According to the Online Trust Alliance, 93 percent of data breaches in 2017 were preventable. That’s a staggering number.
So what are some things your company do to protect against a breach?
First, start with training your employees. Because employees are connected to your company’s network, they unknowingly could be the gateway for malicious attacks to gain access to your data. It’s important to train all employees, whether they handle sensitive data on a regular basis or not.
I see a large variety of security awareness training with our clients. Some have little to no training and others put employees through detailed, exhaustive security training. You might be surprised that both may have similar effects.
Companies that throw a lot of information at employees on a certain topic may not be doing them a favor. People forget things, and a year or two down the road, they may not remember some of the information.
While security awareness training is important upfront, I’ve found it’s even more effective to send employees current, topical information more frequently and in snippets. Something like a security awareness newsletter, which LightEdge provides to employees on a monthly basis, can go a long way in supplementing your security awareness training.
Second, make sure all of your systems connected to the internet of things are updated with the latest security patches. Perhaps the biggest breach last year was Equifax, which came about because the company wasn’t proactive in updating its systems.
Before anything happens to your data, be sure to outline a cybersecurity incident response plan, giving you a road map to respond to an attack.
There are many variations to an incident response plan, but each has three common elements: recognize, react and recover.
When an attack does happen, having various notification systems in place will let your team know a breach has occurred. From there, you should have an incident response team assembled, which should include the business management staff as well as the information technology and human resources staff. This team also depends on what industry you work in. Find out what the guidelines are for notifying your business’s data regulatory agency.
The biggest part of a reacting phase is information-gathering. Looking into how this happened and what the damage is will help you in the third phase.
After you understand what happened, it’s time to go into the recovery phase. You should always take the time to understand your local, state and federal laws regarding your data. Depending on what industry you operate in, you may have to answer to a different set of regulations and agencies. For example, HIPPA — the Health Insurance Portability and Accountability Act — has an agency that oversees medical information.
But no matter how much you may understand about data security laws, make sure to have legal representation. Having someone on your team who understands cybersecurity laws and responsibilities can help you through the process.
After an attack, those regulatory agencies may require some long-term corrections to implement. Based on the investigation, try to remedy the source of the breach to ensure it doesn’t happen again.
A good plan can help mitigate the damage, but a breach will still cost your company money, trust and reputation. That’s why it’s important to prevent these attacks upfront.
It can be hard to navigate the world of data breaches, but it’s become more and more important every year, as the number of attacks increase. Preventing these attacks and having a plan can ensure your company is ready should anything happen. Such measures should be crucial aspects of your business.