7 Steps to Protect Your Company from a Data Breach

Transcription

1 7 Steps to Protect Your Company from a Data Breach August 11, 2015 Michael Pinna and Stuart Nussbaum Millions of government personnel files were recently compromised as part of a malicious hacking of the federal government s Office of Personnel Management (OPM) and the Interior Department. As the human resources department for the federal government, the OPM maintains personnel files on all employees and also issues security clearances, which makes this cybersecurity breach particularly damaging. While the federal government is a likely target for malicious hacking, the most common targets historically have been retailers and other companies that maintain databases of credit card information. One of the most notable breaches of the last few years was the massive 2013 compromise of Target Corp. s systems, which affected as many as 110 million customers during the year s busiest shopping season. From Nov. 27 until mid-december, hackers accessed customer names, mailing addresses, phone numbers, addresses, and credit card information. By Dec. 15, Target had a third-party forensic team in place and the attack mitigated. On Dec. 18, the story broke as a result of a posting by a security blogger. Finally, Target informed the

2 affected credit/debit card-wielding shoppers who had made purchases at one of the company s stores during the attack that their personal and financial information had been compromised. The event also led to the eventual resignation of the company s CEO in As a result of the breach, Target improved cybersecurity: Its corporate website describes various changes made to security procedures and protocols, including improved monitoring, firewalls, and password usage. Many experts have analyzed how the breach happened and evaluated Target s response, and have identified several steps that companies regardless of their size can take to better protect themselves. Remember: Aside from any payments resulting from trial judgments or settlements with plaintiffs, as well as significant fees and penalties, a business can lose significant revenue due to reputational damage. 1. Appoint a chief information security officer to oversee the information security program. Having an officer knowledgeable in data security best practices will enable the company to develop a plan on how to best protect itself from a data hack, including establishing security-awareness training programs and implementing security-related technology. Designating a chief information security officer also shows the rest of the organization that the company views data security seriously and helps support a culture sensitive to the protection of data. 2. Implement updated security technology. Updating technology is often a cost-benefit decision. Industry experts have pointed out that most companies and the United States as a country use antiquated data and credit card security technology. For example, chip card technology in credit cards is used in Europe, but will not be fully implemented in the United States for another few years.

3 3. Conduct periodic security audits. A security audit is a measurable assessment of a company s security policies. After the Target attack, the company admitted it had missed certain warning signs about potential security gaps, which could have turned up in a security audit. Many companies have frequent audits listed as one of their information and security procedures, but do not actually conduct. While a detailed security audit should be performed periodically, all Internetfacing systems should undergo a vulnerability scan at least quarterly to identify any threats or updates that need to be applied. Software to perform such vulnerability scans is readily available in the marketplace. 4. Establish a clean desk policy. All employees in an organization should be cognizant of making sure they do not leave sensitive or confidential information in any location that could be accessed by unauthorized people. This includes paper data that can be left in a conference room or office, as well as electronic files that may be left on a network, unprotected computer, or in an inbox. Establishing passwordprotection protocols with mandatory, frequent password changes and a security-awareness program should be a part of every company s data security initiative. 5. Establish an incident response plan. After a breach is discovered, the top priority is usually fixing the breach at all costs. This is the correct approach for the technical team; however, others within the company need to simultaneously begin considering how the breach will be communicated to the public and those affected, as well as creating a response plan to mitigate any negative fallout. The plan needs to address the actions to be taken throughout the company in areas outside of IT, including human resources, legal, customer service, executive management, and corporate/investor relations. Many Target customers wanted to talk to someone at the company

4 about the breach, but couldn t get through, which compounded the existing damage. 6. Communicate a problem right away. Although the timing of the data breach was not under Target s control and occurred at the worst time of year, the company did have full control over when and how to break the news to the public. Target waited days after discovering the problem before alerting customers. A company should be willing to disclose problems like this right away to control the flow of information and ensure that the correct information is being disseminated on a timely basis. 7. Extend security practices to customers and vendors. A company can have the best security practices in the world, but if it shares data with customers and/or vendors through its systems, a weakness in the vendors or customers systems or processes could inadvertently find its way back into the company s systems. It is critical that companies develop some type of vendor/customer management processes that monitor compliance of those vendors/customers that share electronic data with basic security parameters. While it is difficult to control systems maintained by an outside party, a company can at least understand the risks and take any necessary actions to mitigate them. The hackers who attacked Target demonstrated extraordinary capabilities in successfully orchestrating the 2013 data breach. The increasing number of data breaches shows the current value of credit card data in the criminal marketplace. Having your company be cognizant of the importance of data security best practices and implementing proper security measures will help keep your company from becoming the next victim. About the authors: Stuart Nussbaum is a partner and Michael Pinna is a director at WeiserMazars LLP.

5 excellence/7 steps to protectyour company from a data breach