Breach Prevention: Eight Key StepsTimely Tips for Minimizing Risks
Breaches are expensive, embarrassing and entice additional scrutiny from regulators and consumers alike. By taking some fundamental measures, you can help protect private information and lessen the impact of breaches when they occur.
Here are eight key steps drawn from my experience managing breach prevention and response:
1. Collect Less Data.
Challenge the business rationale for collecting all of this data.
Most U.S. business models support collecting all of the data that consumers are willing to provide. Often organizations collect data without the consumers' knowledge (e.g., online mortgage calculators). Challenge the business rationale for collecting all of this data.
2. Retain Less Data.
The cost of retaining data is often not considered; business executives assume data storage is cheap. But keep in mind the costs go beyond storage and include back-up, data security and breach resolution. Implement a retention policy that supports the business objectives, but uses sound logic to limit the duration it's retained. Then put a program in place to adhere to the retention periods.
3. Create a Data Inventory.
Ask your information technology team where your sensitive data resides, and they will likely hand you a network diagram. Ask your business team, and they may launch their CRM application. Your marketing team might pull out locally saved Excel files. By maintaining a current business data flow diagram, you might catch outflows to vendors, USB drives and printed reports. So create and maintain a data inventory with business process data flow.
4. Adopt an Access Control Model.
System access needs to be more granular to support the "business need to know" philosophy. Your local bank teller needs to be able to access information about any client that walks up to her teller line. That is a business need, and, therefore, tellers are credentialed to view all customers' data. However, during slow times, the teller should not be accessing the records of family members, neighbors or celebrities out of curiosity. A legitimate business need must be established. So granular access control and proper monitoring is a prudent measure for properly protecting information.
5. Adopt a Vendor Management Program.
Many organizations use vendors to process large quantities of their most sensitive data. Make sure they have proper controls in place by adopting a vendor management program. Such a program uses a risk-based model to provide incremental due diligence when appropriate. For example, a vendor that processes W2 forms with Social Security numbers would be held to a higher standard than the lawn care service providers. And don't forget to verify they properly destroy the data when the relationship ends.
6. Limit Data Mobility.
Sensitive data is showing up on a wide range of mobile devices, including USB drives, CD ROM burners, portable hard drives, laptops and smart phones. Reduce the risk of a breach by limiting the amount of data that is permitted to be copied to mobile devices and also by requiring encryption.
7. Be Careful When Testing Systems.
IT invests in expensive data protection technology for use in the production environment. But too often, a development team makes a copy of production data and uses it in a test system with little or no controls. Make sure your development team uses fake data for testing.
8. Build an Incident Response Program.
OK, statistically speaking, your business is experiencing breaches every year. If you have an immature security program, those incidents probably aren't being reported - or at least not through the right channels. So build an incident response program that channels breaches into a queue where they can be recorded, managed and remediated in a timely manner. If you do not have an IRP, build one now and test it annually.
Taking these precautions will significantly limit risks and associated costs - both monetary and brand equity. But most important, it's the right thing to do to protect consumers.
Brian Dean is a DataBreachToday adviser, as well as a senior HIPAA and privacy consultant at SecureState, a global management consulting firm focused on information security.