by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice
Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:
Is your business really safe?
There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.
Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:
- Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
- Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
- Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
- Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
- Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.
With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?
Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit www.singlehop.com.