It is most every organization’s mission and legal (and ethical) responsibility to ensure its proprietary data and sensitive information are protected from internal/external threats – unauthorized copying, disclosure, or destruction. To that end, a sound Data Protection/Privacy program must be implemented to protect this most valuable company asset. Data security is “not an Information Technology issue.” Privacy Compliance (Legal) and IT Security traditionally have been separate functions. This is no longer the best practice to protect your data, as organizations need to both safeguard their network(s), while ensuring legal compliance.
Protecting your organization from internal/external cyber-security related threats is imperative for any business – small, medium, or large – for a host of reasons. Of utmost importance, is the realization that absent data security controls/policies, the results from a data breach could be devastating, both in the short- and long-term. Imagine you’re the CEO, getting a call from your CTO that your customers’ data is up for sale on a hacker’s website. Or you’re the PR point person explaining to the media how internal emails were made public. Or it’s discovered your intellectual property is now in the hands of an ex-employee, now working for a competitor. And it’s not only cyber-thieves you have to worry about; many data compromises are the result of an honest mistake. Human error is often attributed to accidental dissemination of sensitive data (e.g., mailing financial information to the wrong address, or confidential data is contained within a laptop your IT guy left at the airport).
According to a 2012 study performed by the National Cyber Security Alliance, 60% of small businesses are out of business within six months of a data breach. Norton (by Symantec) cited some alarming statistics in a recent article, “Take Steps to Protect Your Business,” noting, “Cyber-crime affects 378 million victims per year, with small business among the fastest-growing targets.”
Successful Privacy Compliance programs employ a multifaceted approach. This would include the deployment of company-wide Privacy policies, data security awareness training, conducting risk assessments, implementing controls that can be audited, and tools to detect data security gaps and intrusions.
Start-ups and small-to-medium sized businesses (SMBs) are often targeted by hackers, as they’re viewed as the “path of least resistance” or “low hanging fruit,” simply due to the fact that their emphasis is generally geared towards selling their new product and not cybersecurity. Yet, SMBs need to ensure compliance with Privacy laws, and secure their sensitive data (especially the company’s “crown jewels” of information).
Matti Kon, founder and CEO of InfoTech Solutions for Business, a New York technology company, notes that all organizations, including SMBs, need to take cybersecurity seriously. To protect your network from cyber-attack, while ensuring regulatory compliance, one efficient approach is to outsource your Privacy Compliance and Data Security needs to a reputable, certified IT vendor. Kon stated, “Most reputable IT security firms can handle the majority (if not all) your data protection requirements.” He further stated that, “It’s critical to perform your due diligence on the vendor that you eventually select.” Top quality vendors can work with your company to “protect your data by performing a risk and vulnerability assessment, implement processes and policies, manage the multitude of devices that access sensitive data, deploy encryption schemes, and conduct a penetration test to confirm you network is safe.” For purposes of business continuity, backing up your critical data/files is of utmost importance (especially if your location(s) experiences a major disruptive event or disaster). And lastly, having your network continuously monitored (e.g., intrusion detection) for threats is paramount.
Developing a relationship with an IT security vendor in advance is key. Having a business partner that is already familiar with your network configurations is vital and can be of enormous benefit, especially if your data has been breached. Immediately, they can conduct the investigation on what occurred and its scope (while preserving evidence), conform with all applicable Data Breach Response laws (i.e., required reporting to regulatory authorities), and of course, get your business back up and running.
Henry Enright is proficient in the area of Risk Management, performing multiple operational roles in Fraud Prevention/Detection, Business Continuity, and Legal and Corporate Security. He has a strong understanding of conducting risk assessments and gap analysis to identify revenue leakage, non-compliance with regulations, and exploitable flaws in products/services. Having worked in large corporate environments and small start-ups, he has attained success in helping companies test and launch new services, while minimizing their financial exposure. Enright has trained thousands of colleagues, law enforcement officers, and government officials on fraud and identity theft. A Certified Project Manager, he is a member of the International Association of Privacy Professionals, and is currently attaining his CIPP (Certified Information Privacy Professional). He can be contacted at: firstname.lastname@example.org or 201.960.0052.