Cyber Insurance & Your Data Breach Response Plan
Entities that take the appropriate measures before a cyber-event occurs are better equipped to minimize the damage that may result.
Learn more about what to look for in a cyber-insurance provider.
A Cyber Security Threat is a Data Breach Threat
When your cyber security isn’t air tight, data can get out. And when data gets out, it can cost your business millions. In 2011, the average cost of a data breach was $5.5 million.1
So while October is National Cyber Security Awareness month, cyber security is a constant need. Because cyber threats and data breach threats are continuously evolving. And your employees and customers expect you to keep their private data secure. That means keeping sensitive data out of the hands of unauthorized users and keeping your cyber security measures up to date.
What is cyber security?
Cyber security helps companies of all sizes maintain the privacy of electronic data. Even small companies need cyber security. The erosion of trust between a business and its clients, customers, patients, employees or partners is detrimental. A small business may even have more to lose during a breach – a small customer base leaves little room for lost loyalty and a sudden downturn.
No matter the size of your organization, each and every person, from employees to executives to contractors, needs to be mindful of cyber security. It’s a team effort, and you don’t want any weak links. With that in mind, here are 10 steps that can act as a starting point in beefing up your data protection and help protect your company from cyber threats:
- Use up-to-date firewall, anti-spam and anti-virus software. Criminals can easily take advantage of an unsecured system and commit a one-time data breach or ongoing data theft. Cyber security software is often your first line of defense. Configure systems and software to check for updates regularly and install them automatically.
- Establish corporate policies for handling and storing sensitive data. This applies both to internal employees and outside vendors that may store or manage data for you. Remember that not every employee in your organization requires access to sensitive data, so enact data access controls. Never collect customer information you don’t need or store data for longer than you need it. The less data you keep, the less you have to lose in a business data breach.
- Establish guidelines for computer use. Employees should avoid using company computers and mobile devices for personal or family use, which could increase chances of inadvertently sending out sensitive data. This also works in reverse: Companies should be wary of employees bringing their own devices (BYOD) and using them to download and work on business data – this includes everything from tablets and laptops to thumb drives.
- Incorporate a mobile device policy. Set up a protocol for employees to follow when it comes to accessing and storing sensitive data on a mobile device. You may want to ensure employees can only access data, using the proper authentication, rather than downloading and saving it to a mobile device. Enable access codes, encryption and remote wipe software on all devices, and keep a log of all issued and approved devices.
- Stay on top of software patches. Install operating system and software updates so that attackers cannot take advantage of known vulnerabilities. Ensure the updates take place across the board, on every system your business is using, for consistent computer security.
- Use passwords. Take advantage of the built-in password capability for laptops, desktops and mobile devices. Don’t allow employees to store passwords on their devices and instruct them to use a mix of symbols, numbers and uppercase and lowercase letters to create a strong password. Also set passwords to expire every three months so employees are continually updating their personal security measures.
- Encrypt sensitive files. By encrypting files, you can help to ensure that unauthorized people can't view sensitive data even if they do access it. You may also want to consider options for full disk encryption, which prevents a thief from starting a laptop without an access code or password.4 Encryption is especially important for “data on the move,” i.e. data that is being sent electronically, whether it’s to the cloud or to a client, that could be intercepted.
- Dispose of sensitive files and old devices properly. Simply deleting an electronic file does not completely erase it. It simply signals the hard drive to mark the space as usable. The implication for data security is that if you erase a hard drive and then donate or recycle it, someone may still be able to retrieve the sensitive files you thought were long gone. The only way to guarantee data cannot be retrieved is to physically destroy a hard drive that’s no longer in use. Companies that manage sensitive data need to be particularly cautious when upgrading to new computers and recycling old ones. But remember that copy machines, mobile devices and other office equipment also have hard drives that need to be addressed too.
- Educate employees on social engineering attacks. Social engineering attackers manipulate people into voluntarily giving out sensitive information by posing as someone from within the company or as a vendor. One form includes phishing, sending out bogus emails that likely contain a virus lurking behind links or attachments. Train employees to think twice before automatically sending out sensitive data and question any requests that seem out of place.
- Back up your files. Store backup data in a separate location from your main servers – this may be both offline and offsite. Not only will you still be able to access the information in the event of data theft, you'll also have a better idea of what data was stolen and who among your customers, clients, partners and employees might be at risk. If you use cloud storage, be sure your data is encrypted and the proper access controls are in place.
As you can see, cyber security is a big responsibility, and, unfortunately, it’s never foolproof. But when it comes to protecting your data from hackers, accidental loss or ill-intentioned employees, every effort is worth your while.
With hackers now using automated cyber attacks, no business is completely safe from data loss, making a data breach response plan just as important as cyber security. Know how to respond to a breach so you’re not caught off guard when one occurs.
1 2011 Cost of a Data Breach study, Ponemon Institute
2 2011 Cost of a Data Breach study, Ponemon Institute
3 SecurityCoverage, 2012
4 US-CERT Cyber Security Tip ST06-008