With the global economic cost of cybercrime totaling more than $400 billion per year and breaches affecting companies ranging from retailers (e.g. Target, Walmart and Staples) and restaurants (Dairy Queen and Jimmy John’s) to tech companies (Snapchat), banks (JPMorgan), electronics and entertainment enterprises (Sony Corporation) and even NASA, companies of all sizes across all industries should be thinking about how to better safeguard their data.
Here are some tips from a few security pros: Ken Leeser, Kaliber Data Security; Ken Levine, Digital Guardian; Ralph Rodrigues, Delfigo Security; Danielle Sheer, Carbonite and Foley Partner Aaron Tantleff who spoke on data security at the 2014 FOLEYTech Summit.
Conduct an internal study of the data your company maintains then trace its path from initial resting point, through paths of transit, to its end point. Once you can identify the data and its intended path, you can build an imaginary fence around it and modify its pathways, building a secure ecosystem around the data.
Think about the types of data you are collecting. Do you need to collect and store it? You can’t have a data breach if you don’t store any data.
While there is no one generally applicable data security law, many states have their own forms of regulation. Pick a law, such as the Massachusetts data security regulations, then create an actionable plan to ensure your company fully complies with the regulations. If necessary, use security vendors to help you interpret the regulations, assess your level of compliance and walk you through the steps many other companies have taken.
Make sure you are aware of any industry-specific standards that may apply to your company: it may not be enough to check the box if all of your competitors follow a more rigid standard. Be sure to document everything you do and why you do it, but remember that once you document something, including any reports analyzing your level of compliance, make certain you act upon it and do not ignore it.
While compliance with regulations and industry standards will not insulate your company from liability, it will likely reduce such liability and will certainly make your customers feel better about giving you their business.
Once you’ve brought the company in compliance with applicable regulations and industry standards, think about what else you can do to further develop your security ecosystem. Listen to where hacks and breaches are occurring elsewhere in the news and think about whether you are vulnerable to a similar breach.
Especially for smaller or younger companies, building a culture of education and compliance from day one is critical. Incorporate data security into your employee onboarding procedures, continually update and send reminders of your policies, and put in place policies and tools that steer user behavior, such as implementing certain password requirements and alerts when non-desirable behavior occurs (i.e. are you sure you want to download data to USB drive or include that external email address?). Finally, create a security email alias and a security council including cross-functional teams that meets weekly. Start the conversations early and keep them going.
For more tips, check out the following article by Foley Partners Susan Pravda and Gabor Garai: Big Companies Should Think and Act Like Startups to Keep Data Safe.