Building Effective Work Processes? Trust, but Verify
Data breaches are unpredictable. To avoid security breaches resulting in data leaks, companies must stay a step ahead of uncertainty, which requires them to understand potential risks, anticipate future challenges, create procedures to address those issues strategically and make sure to follow established protocols.
Security is not a default setting. It is a privilege achieved through endless hours of training, experience and vigilance. Many organisations have put in place, standard operating processes and procedures regarding the storage, handling and processing of sensitive data. The most robust of systems however, can simply be undone with a single human mistake.
Recently, insurance company Aviva had established internal work process controls governing the processing, printing and sorting of customers’ personal information. However, their processes and protocols were defeated in a moment of inattention by a veteran employee. The absence of a second layer of checks was highlighted as a systematic flaw, which contributed to the inadvertent disclosure of a customer’s personal information to a wrong recipient. Aviva was found to be in breach of the Personal Data Protection Act (PDPA), which requires organisations to have adequate security measures in place to protect consumers’ personal data. Violators can be fined up to SGD $1 million.
The typical process surrounding sensitive or personal data for companies consist of risk management, compliance and audit functions:
- An effective risk management programme assists managers in defining risk exposure, as well as develops, facilitates and monitors the implementation of effective risk management practices in daily operations.
- A compliance function focuses on internal monitoring for noncompliance with procedures as well as providing suggested revisions for more effective processes.
- Internal and external audits assure the efficiency and effectiveness of the overall risk management framework of the organisation, responsible for all elements from risk identification, assessment and response to monitoring. Audits are not only important for large companies, as even the smallest of organisations are prone to noncompliance risks, which could result in data leaks.
Experience paired with an absence of incidents often breeds complacency. Sound policies should be established to provide for additional layers of checks and balances specifically to watch for and prevent human error during normal operational workflows. These additional checks should ensure the strict adherence to standard operating procedures and serves as an additional line of defence.
Post-incident, Aviva has taken remediation actions in the form of putting in place additional layers of random checks on staff output. Companies should also implement regular training for all staff to ensure that they are aware of and kept up to date on the latest operational requirements.
Policies and procedures are an instruction manual to ensure things work out how they are supposed to; audits and second level checks ensure that incidents that are not supposed to happen, do not slip through the cracks unnoticed.
Start Protecting Your Business
To learn more about how Shred-it can serve as an additional layer of defence to protect your organisation against data leaks, please contact us to get a free quote and security risk assessment.