Ready or not, here comes 2017. Just as people make resolutions intended to improve their personal and professional lives, businesses should also take the opportunity to make plans for the coming year. What will you do in the new year to make your business more profitable and secure?
May we suggest drawing some insight from Ponemon Institute’s Fourth Annual Data Breach Preparedness Study, sponsored by Experian Data Breach Resolution, when crafting resolutions for your business this year? Here are six things every business should do in 2017 to mitigate cybersecurity threats and minimize the risk of damage from a data breach:
- Update your data breach response plan — assuming, of course, you already have one in place. While 86 percent of the companies polled by Ponemon say they have a plan in place, less than a quarter (24 percent) have processes in place to update their plan annually. Twenty-nine percent have never updated their data breach response plan since first implementing it. Because risks and threats emerge constantly, it’s critical to update your plan to address the shifting cybersecurity landscape.
- Hold a “fire drill.” While companies who conduct fire drills of their data breach response plans find value in it (80 percent said fire drills improved their plans’ effectiveness), 40 percent of companies still aren’t doing them. Practicing your data breach response can help ensure that when a real one occurs, everyone acts according to plan.
- Prepare for ransomware. Ransomware is a growing problem, yet 56 percent of the companies Ponemon surveyed said they weren’t confident their organization would be able to handle a ransomware attack. Worse, nearly half (45 percent) said they’re not doing anything to prepare for ransomware. Few are taking steps to limit ransomware risks, such as auditing and increasing backup of vulnerable data and systems (43 percent) and including planned system outage provisions in their business continuity plans (40 percent).
- Engage your C-suite. Involvement of leadership is key to an effective data breach response, yet 57 percent of companies have boards of directors, chairmen and CEOs who are not informed and involved in data breach preparedness. Sixty-six percent of IT professionals say their boards don’t understand the specific security threats facing their organization, and 74 percent of boards aren’t willing to assume responsibility for successful implementation of their plan.
- Audit third-party security measures. Your own security measures aren’t the only ones that might need shoring up in the new year. The security of your vendors and others you do business with can directly impact the integrity of your own data and systems. Half of companies now require audits of a third party’s security procedures, 93 percent require third parties and business partners to notify them when a breach occurs, and 80 percent require an incident response plan to review.
- Emphasize employee education. Your employees can be your greatest asset — or the weakest link — in your cybersecurity measures. Implementing employee privacy and data protection awareness programs can help reduce the risk of employee negligence or error leading to a cybersecurity event. Don’t just stop with a program that happens shortly after an employee is hired. Education should be ongoing in order to keep employees up-to-date on how to defend the company’s data, systems and customers against emerging cyberthreats.
The need for effective data breach preparedness will only grow in 2017. By making and keeping a few key resolutions, you can help mitigate data breach risks and ensure everyone in your organization is prepared to react well when one does occur.
Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.