Amid a flurry of high-profile attacks and the tightening of privacy regulations, organisations are increasingly seeking ways to minimise the risk of suffering a data breach.
Personal details of customers, credit card numbers and corporate financial records – are all eagerly sought by cyber criminals. In an increasingly digital business environment, keeping such data safe has become a top priority.
An effective strategy – and one that is often overlooked by organisations – is to reduce the risk of loss by actively reducing the amount of data that is being held. While the declining cost of digital storage makes it tempting to retain everything, keeping only what is absolutely necessary can significantly lower the chance of a breach.
One example is the personally identifiable data many organisations require to establish the true identity of a new customer. This could be anything from the scan of a passport to driver licence details or birth certificates.
Once the customer’s identity has been confirmed and the new relationship is established, that sensitive data is no longer actually required. Deleting it from storage means that it can’t be stolen and in turn reduces the ongoing risk for the customer.
It makes sound business sense, therefore, to review all data stores and identify any items that are no longer required. This, in turn, means that security resources can be focused on the task of defending necessary business data.
Preparing for a breach
It’s widely agreed in the IT security industry that it’s a case of ‘when’ and not ‘if’ an organisation will suffer data loss. This could come in the form of a sophisticated intrusion or be as simple as an unencrypted laptop being left in the back of a taxi.
For this reason, thorough and detailed planning is key. While the risk can be reduced by deleting unnecessary data, steps should also be taken to ensure an organisation is prepared should a breach occur. Key steps to take include:
- Create an incident response plan: Effective preparation should begin with a thorough plan. The Office of the Australian Information Commissioner offers guidelines on what should be covered and recommended steps to ensure it is as effective as possible. It should be noted that this is not a one-size-fits-all exercise, and time should be invested to ensure the plan matches the specific needs and requirements of the organisation.
- Appoint a team: With a comprehensive plan in place, the next step is to identify relevant staff who would carry it out should the need arise. This team should comprise people from a range of different areas including IT, customer relations, public relations, legal and senior management. Ensuring each person is aware of their responsibilities means they will be able to respond quickly and effectively in the event of an incident.
- Test the plan: Effective planning is not a set-and-forget exercise. At least annually, the plan should be examined to determine whether it still meets the requirements of the organisation. A mock breach could be staged to determine how the team responds.
After a breach
While having a thorough and tested plan in place will help to mitigate the impact of a breach, there are other steps that also need to be followed in the wake of a data loss incident.
One of the most important of these is communication with customers and the rebuilding of trust. If customers can see that an organisation has responded quickly and effectively to an incident, they are much more likely to maintain their relationship. If, on the other hand, they find themselves left in the dark, chances are they will move to a competitor.
Also, once the dust has settled following a breach, careful analysis should be made of exactly how it occurred. Was there a lapse in the security measures that are in place? Is there a need for more staff training? Should data be stored in a different way or in a different location?
By following these steps, an organisation can ensure it has reduced the likelihood of a data breach but also has in place the mechanisms that will be needed should one occur. Thorough preparation now will prove invaluable in the future.
About the author
Barry Brailey was appointed Principal Virtual Security Officer for Aura Information Security in mid-2017 and has more than 15 years’ experience in cyber security. His previous roles have included Head of Consultancy Services for the New Zealand National Cyber Security Centre as well as Operations Lead at the New Zealand Government’s Centre for Critical Infrastructure Protection. He is also currently Chair of the New Zealand Internet Task Force.