Having a data breach response plan is actually a great strategy for preventing data breaches in the first place.
The likelihood that a company will be faced with a security incident gets higher every year. In a 2016 Ponemon study, 52% of companies experienced one breach during the year, and 66% reported multiple breaches.
Here are 9 questions about your data breach plan that will help you better understand the company’s risk – and how to prevent a data breach.
- Is there an incident response team? Every company should have one, made up of department representatives, IT and other first responders, legal counsel, media-savvy spokespeople, and senior executives. The Ponemon study reported that 57% of respondents said their company’s C-suite was not part of the team.
- What data in the organization is considered sensitive? Identify all the data (on hand and being collected on-going) that is confidential and why (i.e. compliance requirements, etc.)
- How is confidential data inventoried? A comprehensive document management policy provides a formal process that helps protect documents from creation to destruction. For example, all files, whether digital or paper, are labeled by their contents and for how long the information needs to be kept. This kind of data retention process will eliminate unnecessary data as soon as possible too.
- Who has access to confidential data? Visibility into end-user access of sensitive and confidential information is critical. Implement access-controls so that only those employees who need the data to do their jobs have access.
- What data safeguards are in place? For computers and IT devices, use the most current versions of firewalls, anti-virus software, applications and operating systems with automated security patching. Be sure to employ complex passwords and multi-factor authentication. Implement a Clean Desk Policy and provide lockable desks, cabinets and other storage for paper documents and legacy hard drives. A culture of security and on-going employee training will support data security best practices.
- How is data being transferred around? Protect data in transit. Teach employees to guard confidential information – not to leave it exposed in public places or visible in their cars. Encrypt data, do not use public Wi-Fi, and lock mobile devices.
- Is the data breach plan updated regularly? While 86% of respondents in the Ponemon study said their organizations have a data breach notification plan, only 24% have a procedure for keeping the plan current. But there are always new risks. For example, ransomware is currently a huge issue, but 45% of respondents say they are not taking any of steps to prepare for a possible ransomware attack.
- Are third parties audited? Conduct due diligence on all third-party service providers. Third parties and business partners have been identified as a significant risk for breaches.
- How is data destroyed? Partner with a trustworthy document destruction company that provides secure destruction services for paper and digital data. There should be a secure chain of custody with trained security professionals, on or off-site information destruction, and a Certificate of Destruction issued after destruction.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.