In addition to reducing the risk of lawsuits and investigations by the FTC and the Securities and Exchange Commission, a strong, proactive security posture can actually save organizations a substantial amount of money. While companies should assume that data breaches are a new fact of life, many breaches could have been prevented if the affected company had implemented simple security controls and best practices. The Ponemon Institute concluded that a variety of security measures could significantly decrease the cost of a breach by $7 to $12 per record, a significant amount when hundreds of thousands or millions of records are involved. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs,” said Marshall S. Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit.
To avoid the costs and rapidly expanding liability associated with data breaches and a company’s lack of oversight, organizations need to vigilantly protect themselves and their customers. Here are the key elements required to establish a strong security posture, reduce the risk of a breach and limit the damage and cost should a breach occur:
- A chief information security officer (CISO) — Having a senior-level executive responsible for establishing and maintaining an organization’s data security vision and strategy makes it easier to develop programs, get them approved and quickly adjust them as the threat environment evolves.
- Board-level involvement — When boards recognize that data breaches are a threat to shareholder value, they help create a security culture and ensure that reporting includes data security activities.
- Employee training — Employees who click on links in malicious email (phishing and spearphishing attacks) and get duped into revealing personal information (social engineering attacks) create the highest risk for organizations. Educating employees on these threats is critical to creating a strong security posture.
- A computer security incident response plan (CSIRP) and team — A CSIRP ensures that an organization has in place all the processes and procedures necessary to deal quickly and effectively with a breach. Having a dedicated CSIRP team ensures that the plan is kept up to date, the responsibilities under the plan are clear, and the required activities can be initiated immediately when necessary.
- Extensive use of encryption — Encrypted data is of no use to cybercriminals, and a breach involving encrypted data may have only a minimal impact on the organization.
- Business continuity management (BCM) — The BCM team should be involved in all incident response planning. In the event of a successful breach, the BCM team must understand the impact on the business and what steps — and when — it needs to take to bring the business safely back online.
Heidi Maher is an attorney, an information governance specialist and the executive director of the Compliance, Governance and Oversight Counsel (CGOC).