7 Things Mid-Size Companies Can Do to Avoid Data Breaches
By Stuart Nussbaum and Michael Pinna
Millions of government personnel files were recently
compromised as part of a malicious hacking of the federal
government’s Office of Personnel Management (“OPM”) and the Interior Department. As the human resources department for the federal government, the OPM maintains personnel files on all employees and also issues security clearances, which makes this cybersecurity breach particularly damaging.
While the federal government is a likely target for malicious hacking, the most common targets historically have been retailers and other companies that maintain databases of credit card information. One of the most notable breaches of the last few years was the massive 2013 compromise of Target’s systems, which affected as many as 110 million customers during the year’s busiest shopping season. From November 27th until mid-December, hackers accessed customer names, mailing addresses, phone numbers, email addresses and credit card information. By December 15th, Target had a third party forensic team in place and the attack mitigated. On December 18th, the story broke as a result of a posting by a security blogger. Finally, Target informed the affected credit/debit card wielding shoppers, who had made purchases at one of the company’s stores during the attack, that their personal and financial information had been compromised. The event also led to the eventual resignation of the CEO in 2014.
As a result of the breach, Target improved cybersecurity – their corporate website describes various changes made by the company to security procedures and protocols, including improved monitoring, firewalls and password usage. Many experts have analyzed how the breach happened and evaluated Target’s response, and have identified several steps that companies, regardless of their size, can take to better protect themselves. Remember- aside from any payments resulting from trial judgments or settlements with plaintiffs, as well as significant fees and penalties, a business can lose significant revenue due to reputational damage.
1. Appoint a Chief Information Security Officer to Oversee the Information Security Program
Having an officer knowledgeable in data security best practices will enable the company to develop a plan on how to best protect itself from a data hack, including by establishing security awareness training programs and implementing security related technology. Designating a Chief Information Security Officer also shows the rest of the organization that the company views data security seriously and helps support a culture sensitive to the protection of data.
2. Implement Updated Security Technology
Updating technology is often a cost benefit decision. Industry experts have pointed out that most companies, and the U.S. as a country, use antiquated data and credit card security technology. For example, chip card technology in credit cards is used in Europe, but will not be fully implemented in the U.S. for another few years.
3. Periodic Security Audits
A security audit is a measurable assessment of a company’s security policies. After the Target attack, the company admitted it had missed certain warning signs about potential security gaps, which could have been turned up in a security audit. Many companies have frequent audits listed as one of their information and security procedures, but do not actually conduct. While a detailed security audit should be performed periodically, all internet-facing systems should undergo a vulnerability scan at least quarterly to identify any threats or updates that need to be applied. Software to perform such vulnerability scans is readily available in the marketplace.
4. Establish a “Clean Desk” Policy
All employees in an organization should be cognizant of making sure that they do not leave sensitive or confidential information in any location that could be accessed by unauthorized people. This includes paper data that can be left in a conference room or office as well as electronic files that may be left on a network, unprotected computer or in an email box. Establishing password protection protocols with mandatory, frequent password changes and a security awareness program should be a part of every company’s data security initiative.
5. Establish an Incident Response Plan
After a breach is discovered, the top priority is usually fixing the breach at all costs. This is the correct approach for the technical team, however, others within the company need to simultaneously begin considering how the breach will be communicated to the public and those affected, as well as creating a response plan to mitigate any negative fallout. The plan needs to address the actions to be taken throughout the company in areas outside of IT, including human resources, legal, customer service, executive management, and corporate/investor relations. Many Target customers wanted to talk to someone at the company about the breach, but couldn’t get through, which compounded the existing damage.
6. Communicate a Problem Right Away
Although the timing of the data breach was not under Target’s control and occurred at the worst time of year, Target did have full control over when and how to break the news to the public. Target waited days after discovering the problem before alerting customers. A company should be willing to disclose problems like this right away to control the flow of information and ensure like this right away to control the flow of information and ensure that the correct information is being disseminated on a timely basis.
7. Extend Security Practices to Customers and Vendors
A company can have the best security practices in the world but if it shares data with customers and/or vendors through its systems, a weakness in the vendors’/customers’ systems or processes could inadvertently find its way back into the company’s systems. It is critical that companies develop some type of vendor/customer management processes that monitors compliance of those vendors/customers that share electronic data with basic security parameters. While it is difficult to control systems maintained by an outside party, a company can at least understand the risks and take any necessary actions to mitigate them. The hackers who attacked Target demonstrated extraordinary capabilities in successfully orchestrating the 2013 data breach. The increasing number of data breaches shows the current value of credit card data in the criminal marketplace. Having your company be cognizant of data security’s importance and implementing proper security measures will help keep your company from becoming the next victim.