The past decade has seen some of the worst security breaches imaginable. From Yahoo’s breach in 2013 that impacted three billion people to the Equifax breach that exposed the personal credit information of 143 million people, it’s clear that hackers are working hard to overcome security systems.
Given the amount of data available and the hyper-personalization of said data, the onus for security is on companies that collect and use data. Not only is it the right thing to do and the most business-savvy, but it is increasingly becoming a legal obligation. Failing to prevent a data breach, particularly as a result of negligence, is costing businesses around the world hundreds of millions in fines. In 2019, British Airways paid a $230 million fine as the result of a data breach that exposed the data of 500,000 customers.
How do you prevent data breaches in a world where hackers are more determined than ever? While no method is ever 100% effective, you can better protect your data (and your customers’ privacy) by choosing to take a strategic approach to cybersecurity.
Customize Your Plan to Meet Your Strategic Needs
The high-level look at cybersecurity makes it look sort of ‘samey’ for all organizations, regardless of their industry. However, your cybersecurity plan is only as effective as it is strategic. Every cybersecurity infrastructure requires a strategy that meets the needs and threats unique to your organization, industry, and customers.
What does it mean to take a strategic approach to cybersecurity? Once you understand your basic industry and legal requirements, it’s important to begin by identifying your risk appetite. In other words, how much risk are you willing to take to pursue your goals? How far does your company’s financial position allow you to go in risk-taking? What are the threats facing your company?
[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”#1AC4A8" class=”” size=”19"]”The renewed focus on cybersecurity may sound daunting for both your staff and your bottom line, but it doesn’t need to be”.[/pe[/perfectpullquote]
Once you have a clear picture of your risk profile, you can then begin to develop a strategy that includes a framework and timeline for your cybersecurity plan. Remember to consider data-driven decision making rather than just staring down existential threats. Your strategy should collect and analyze current IT data within your organization and industry to build your infrastructure.
Don’t forget to consider the human element of cybersecurity. Your cybersecurity infrastructure is only as strong as the knowledge held by your company’s leadership and those who interact with its systems.
Use an Internal Audit to Prepare
It’s not uncommon to find that organizations put together their customized plan and then leave the system to its own devices without ever testing its defenses. In reality, every aspect of your cybersecurity plan should be the subject of an internal audit. You could even go as far as saying (as both Deloitte and Knowledge Leader have) that the internal audit is any organization’s third line of defense against data breaches.
Internal audits provide reporting on both the existing and future risks for your organization and provide solutions for eliminating or mitigating them. Getting used to providing an internal audit for your processes is important. As privacy and data protection laws develop both within the U.S. and around the world, more regulators want to see the kind of documentation that only an internal audit provides.
When employing internal audits to manage your cybersecurity systems, remember that the internal audit process can be more proactive than it’s often believed to be. Use it to not only identify holes and risks but also look out for emerging risks and identify efficiencies. Deploying this kind of auditing ethos will not only better improve your processes but support employee engagement by giving the audit greater meaning than serving solely as a checklist.
Create a Data Breach Response Plan
You have a security system in place and you know it covers your needs, but do you know what you’ll do if a data breach occurs anyway? If you don’t, you’re not alone. In 2019, Ponemon Institute carried out a survey (on behalf of IBM) and found that 77% of respondents said they had no consistent cybersecurity incident response plan. (Though a 2018 survey from the Ponemon Institute did find that 88% of companies said they at least had a response plan.)
What many companies don’t realize is that it’s your ability to respond to a data breach that almost matters more than your security plan. Response time is critical both for mitigating the damage done and for saving your reputation with customers and regulators.
Each data breach response plan should include recovery objectives, a sequence for incident response, roles and responsibilities for team members, a communication plan, and escalation procedures. Essentially, the plan should be able to walk you through all the details of the six steps associated with incident response, as described by the SANS Institute, which include:
- Lessons Learned
Don’t forget to include your incident response plan in your internal audit. Nothing should escape early and regular testing!
The renewed focus on cybersecurity may sound daunting for both your staff and your bottom line, but it doesn’t need to be. Remember that preventing a data breach is always less expensive than dealing with the aftermath of an event.