Don't Be a Target: How to Avoid a Data Breach BY Jill Krasny - Inc
The Target hack that compromised about 40 million credit and debit cards swiped over Thanksgiving weekend is practically all anyone can talk about right now. How could such a juggernaut be vulnerable to hackers?
On Thursday, the Minneapolis company said customers who swiped their cards at its retail stores between November 27 and December 15 may have been exposed to criminals. The chain said it immediately reported the breach and partnered with a forensics firm to look into the issue. But besides directing customers to a hotline where they can report fraud, it felt like the company wasn't doing much to minimize the damage.
Of course, Target isn't the first big company to fall prey to hackers. Last January for example, Zappos experienced its own data breach, in which customers' passwords and credit card numbers were exposed, and in April 2011, Sony's PlayStation network was hacked.
Whether you're a giant chain with millions of card-swiping customers, or a mom-and-pop shop trying to protect your back-end operations, here are some tips from Kroll (see below), a risk management firm's website, for avoiding a similar PR nightmare from senior vice president Brian Lapidus.
Get a game plan.
Above all, you want a comprehensive preparedness plan so your business can continue to operate if a breach occurs. All your managers should know the plan, and roles should be set regarding who reviews the plan's policies and procedures.
Hire the pros.
Only third-party security professionals can offer a neutral, objective assessment of your level of risk and what's at stake, writes Lapidus.
Be mindful of what information you take.
If you don't need the information, don't take it, Lapidus writes. The idea is to streamline your data storage systems and to purge the data once the need for it has expired. By the same token, only grant employees access to sensitive data on an "as needed" basis, and keep records of who has access.
Watch your back.
Like a lot of crimes, security breaches often come from within. In some cases, the employee may be well-meaning but misguided. In others, he or she may be after your money. To combat these issues, offer better employee security training, evaluate the way people log in remotely, and scrutinize the access former employees have to company data. On- and off-site data storage practices may also be worth looking into. To test your vulnerability, you may try simulating attacks using security awareness software.
Data Breach Prevention Tips from Kroll Cyber Security
Suspect a Data Breach?
Protecting Against a Breach: Basic Guidelines and Best Practices to Safeguard Data
When it comes to data breaches, the risk for organizations is high, from the easily calculable costs of notification and business loss to the less tangible effects on a company's brand and customer loyalty. Consider the numbers: Total breach costs have grown every year since 2006, and in 2010, data breaches cost companies an average of $214 per compromised record, up $10 (5 percent) from last year, according to the 2010 Ponemon study.
The upside for companies nationwide is that they can minimize their risk. To avoid what sometimes amounts to operational paralysis, organizational leaders need to follow some basic guidelines.
Data security expert Brian Lapidus, chief operating officer of the Cyber Security & Information Assurance practice of Kroll, has unique frontline experience helping today's businesses safeguard against and respond to data breaches. Below, he offers some important advice that every institution should know about protecting themselves and their customers from the damages of fraud.
- Look beyond IT security when assessing your company's data breach risks. To eliminate threats throughout the organization, security must reach beyond the IT department. A company must evaluate employee exit strategies (HR), remote project protocol, on- and off-site data storage practices, and more—then establish and enforce new policies and procedures and physical safeguards appropriate to the findings.
- Establish a comprehensive breach preparedness plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Your efforts will demonstrate to consumers and regulators that your organization has taken anticipatory steps to address data security threats. Disseminate this plan throughout the management structure to ensure everyone knows what to do in the event of a breach. In preparation, consider the following:
- Who will have a role in reviewing the policies and procedures on a predictable timetable?
- What are the physical security elements? When and how will they be tested?
- Educate employees about appropriate handling and protection of sensitive data. The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules.
- Thieves can't steal what you don't have. Data minimization is a powerful element of preparedness. The rules are disarmingly simple:
-Don't collect information that you don't need.
-Reduce the number of places where you retain the data.
-Grant employees access to sensitive data on an "as needed" basis, and keep current records of who has access to the data while it is in your company's possession.
-Purge the data responsibly once the need for it has expired.
- Conduct a periodic risk assessment. Business models and operations change and might alter risk levels and liabilities. Determining if you've acquired new areas or levels of risk can be accomplished through both internal audit and specialized external resources.
- Provide training and technical support to mobile workers. Ensure that the same standards for data security are applied regardless of location, by providing mobile workers with straightforward policies and procedures, ensuring security and authentication software is installed on mobile devices and kept up-to-date, and providing adequate training and technical support for mobile workers.
- Retain a third-party corporate breach and data security expert to analyze the level of risk and exposure. An evaluation performed by an objective, neutral party leads to a clear and credible picture of what's at stake, without pressuring staff who might otherwise worry that their budgets or careers are in jeopardy if a flaw is revealed.
- Don't rely on encryption as your only method of defense. Encryption is a security best practice, but, when used alone, it can give businesses a false sense of security. Although the majority of state statutes require notification only if a breach compromises unencrypted personal information, professionals can and do break encryption codes.
- Keep current with security software updates (or patches). An unpatched system is, by definition, operating with a weak spot just waiting to be exploited by hackers. Admittedly, applying patches takes time and resources, so senior management must provide guidance on allocations and expectations.
- Hold vendors and partners to the same standards. It's important to define your security requirements upfront with vendors—third-party service providers may be required to maintain appropriate security measures in compliance with certain state and federal regulations. Ensure that your organization maintains control of data at all times, especially with offshore data storage or services.