The recent Capital One data breach is another unfortunate example of why people need to adopt a trust no one mentality and take steps to protect themselves against these types of attacks. While she acted unlawfully, the hacker was able to gain access to users’ information by exploiting a misconfigured web application firewall – something that could have been prevented. We learned in our most recent Cyber Incidence Breach Trends Report, 95% of breaches could have been prevented through simple and common-sense approaches to improving security.
This is a grave reminder that companies holding personal and sensitive data need to be extra vigilant about protection. As we can see, even a single security bug can affect millions of users. We cannot be complacent about data security. Fundamentally, data stewardship, privacy and incident readiness are everyone’s responsibility with data management and privacy practices needing continual review.
While damaging, the leading incidents, and how they were handled, have taught important lessons:
1. Responsibility for incident protection and readiness is organisation-wide.
2. Data is an organisation’s most valuable asset. Identify what you have, where it is, why and how you use it and the potential risks to your organisation and individuals should it be inappropriately accessed, held hostage, released or erased.
3. Only collect and retain data that has a business purpose for as long as it is needed. Criminals cannot steal or hold hostage data you don’t have, and such minimisation may be a regulatory requirement for your organisation.
4. The level of data security you apply must be commensurate with the data held. The security in place
5. Protection involves not only the specific incident (data loss, ransom paid), but also the costs of business interruption. This includes locked data, network and system interruption and connected device takeover.
6. Have plan to reduce the impact of an attack. An incident plan needs to incorporate training to help prevent, detect, mitigate, respond and recover. Just like first responders, employees must be regularly trained, equipped and empowered to deal with a data loss or other cyber incident.
7. Security and privacy are not absolutes and must evolve. organisations need to regularly review their procedures for collection, storage, use, management and security of all data (along with review of changing technologies, best practices and regulations).
8. Security is beyond the organisation’s desktops, networks and walls. Cloud services, third-party processors and external business partners expand the attack landscape. Conduct a risk assessment prior to partnerships or service agreements and periodically re-assess.
9. Connected devices introduce new risk levels. Ongoing risk assessment of all IoT devices and the development and enforcement of an employee policy for connecting devices to the corporate network is critical since a single connected device can introduce threats network-wide.
10. Build trust through transparency. In the event of an incident, keep communication clear. Whether communicating with customers, board members or data protection authorities, keeping important stakeholders informed early with regular updates is a critical part of maintaining trust.