IT Security

If a data breach occurs, what’s the important first step?

If a data breach occurs, what’s the important first step?

Digital Guardian, a vendor of information technology security solutions, recently invited me, as well as 29 other IT Security practitioners to comment on a security topic (made all the more relevant by the recent media coverage of several significant  data security issues). The topic was: “What’s the most important next step you should take following a data breach?”

Here’s what I wrote.

Following a data breach, there’s really only two options:

You either implement your data breach response plan, or you resign, because if you don’t have a predefined plan you are doomed.

Implementing a data breach response plan can be a significant (and expensive) undertaking. It’s complex; it is absolutely not something that can be done by the seat of your pants.

What does a data breach response plan look like? Actually, to call it a plan is probably a misnomer; it’s really more of a template that allows you to quickly develop a customized response plan that is based on the specifics of the actual breach. The key to crafting this plan is to have a cross-functional team defined and ready to spring into action at a moment’s notice. In addition to a team lead, it should include representatives from the organization’s executive, IT, Legal, Risk, Privacy, PR/Marketing and Customer Service, as well as any third parties that may be required. And they need to be trained; to maximize their effectiveness they should have had the necessary education and training, and a number of dry runs through a series of different scenarios. (Don’t let the response to an actual breach be the first time that the plan has been executed.)

It’s important to remember that this is really an exercise in crisis management. Studies show that organizations can avoid longer term impact as long as the perception held by their customers (and shareholders) was that the issue was properly managed. Handle the crisis poorly and the recovery will likely take longer (or not happen at all).

One more thing to remember. The data breach response plan is a living document. As individuals change roles and as the organization evolves (mergers, acquisitions, divestitures etc.) the plan needs to change as well.

Care to see the other 29 opinions? There’s many that I agree with completely (and to tell the truth, a few that I think are a bit offside). You can find them on the Digital Guardians blog.

photo credit: Amarand Agasi via photopin cc

Share This:
When it comes to data security …

When it comes to data security …

I was recently asked to participate in a group interview sponsored by Digital Guardian (a vendor of information technology security solutions) that centred on a simple question: “What’s the #1 biggest mistake companies make when it comes to securing sensitive data?”

One of the biggest challenges I had with this task is that it’s really difficult to narrow it down to a single mistake; unfortunately organizations make far too many mistakes (as the articles about data loss and breaches of privacy in the business pages of the newspapers can attest). But after pondering the question for a while I arrived at an answer that I really liked. Surprisingly, it’s not a technology issue.

When it comes to securing sensitive data the biggest mistake companies make is that they minimize or ignore the human dimension of security. There is a cultural aspect to security that must become part of the DNA of the organization; all too often they fail to make the essential investments to make it happen.

Organizations are willing to spend a lot of money developing the necessary standards, guidelines and procedures required by a comprehensive security program, and they are willing to spend even more on the technology required. Where organizations tend to drop the ball is the human element; staff needs to be acutely aware of the security policies, trained in the proper application of the policies and understand (and accept) their personal responsibilities and accountabilities. There needs to be a training regimen for both new and existing staff, as well as periodic refreshers. Security responsibilities should be built into their role descriptions and their personal objectives.

It’s also necessary that security be deployed in a manner that will allow staff to fulfill the responsibilities of their job while fully complying with the requirements of the program. The information security program cannot be a roadblock; its application must be proportional to the risks identified and it must support (and not inhibit) the ability of the organization and (and its staff) to conduct its business.

And a second mistake: Organizations implement a security program and think they’re done. They’re not. Security programs need to continuously adapt to in order to meet new threats and environmental changes. The security landscape is ever evolving, both on the side of threats and on the side of regulators; organizations need to ensure that their security programs change in response.

Care to see the other 33 opinions? You can find them on the Digital Guardians blog.

photo credit: -Tripp- via photopin cc

Share This:
Optimization WordPress Plugins & Solutions by W3 EDGE