The Privacy Rights Clearinghouse says there’s been 4,500 breaches since 2005, with more than 816 million individual records breached. According to the Identify Theft Resource Center, over the past 11 years, there have been 6,394 breaches, with a theft of 871,776,762 records – and these are only the ones that have been reported. As both organizations are mainly U.S. focused, those are very, very low estimates when you consider global breaches as well as unreported or even undiscovered breaches.
Two common saws in journalism are that if it bleeds, it leads and dog bites man isn’t news, but man bites dog is news. Unfortunately, data breaches are becoming as commonplace as dog bites man, so we’ve become inured to the bloodshed.
The best way to describe the current state of cybersecurity that we all live in is as if it were a sieve, and we’re trying to determine the best away to allocate resources so we can at least fill the holes in the bottom and deal with the holes on the side at a later date.
> Request a demo…
Here are some concrete steps you need to take to protect your organization.
- Take inventory. What security apparatus and systems do you already have in place? How are they protecting what you already have? Where are the holes? Where is the duplication? Can you better allocate your resources?
- Prioritize, prioritize, prioritize. Where can you apply security to get the biggest bang for your buck? How many databases do you have? Applications? Employees?
- Discover your data. You must know it’s there to protect it. Then, decide how to classify it. You also need to remember that data has a timeline. For example, the latest proprietary information need to be highly secure, while information from six years ago can be put into your long-term storage system, secured of course, and kept for posterity.
- Know the rules and regulations. HIPAA, PCI DSS, and SOX should not only be initials. Work with your compliance and governance teams to learn exactly what systems need to be in place to protect your organization against costly fines. Asking forgiveness instead of permission here can become very costly.
- Initiate “graveyard” procedures. While your friendly neighborhood accountant ensures that some devices are kept long enough to “depreciate,” many organizations replace hardware pretty regularly. Ensure that someone within IT is responsible for removing or cleaning the hard drives on each device to ensure that confidential customer data doesn’t end up accessible to the kid’s learning programing at the local community center.
- Get HR onboard. I bet you weren’t expecting that one. Your HR team is in charge of training and education. Every single employee can become an active cybercrime fighter. They need to know how to do it. Teach them how to avoid social engineering, how to avoid common scams like “thumb drive ownership,” and why data protection is everyone’s job.
- Be prepared. You will be hacked, if you haven’t already been. Make sure you have contingency plans in place. Work with your risk management, legal, and communications/PR teams to determine the exact procedure should a breach happen. If you are an international company, this plan is going to be even more critical with the passage of the General Data Protection Regulation (GDPR).
- Do it. It’s all well and good to have a check list about everything you should be doing, but if you don’t implement it all, what’s the point? Which leads us to the final point:
- Get management’s buy in. You cannot do it all yourself. You need resources, both budget and people.
Good luck. It isn’t easy, but it is possible. If anyone can do it, you can.