20 Feb 7 Questions Every Company Should Ask to Avoid the Nightmare of a Data Breach
According to a recent article in TechCrunch, 2023 was yet another year for data breaches, much like last year and the year before that. Over the past 12 months, hackers ramped up their exploitation of bugs in popular file-transfer tools, ransomware gangs adopted aggressive new tactics and attackers continued to target under-resourced organizations, such as hospitals, to exfiltrate highly sensitive data, like patients’ healthcare information and insurance details.
We all know that mailing and outsourcing clients increasingly require costly external audits and adherence to strict standards such as NIST 800-53 and HITRUST™ to protect personally identifiable information (PII) and protected health information (PHI), but those standards are only the starting point.I In fact, they are little more than checklists if there isn’t a serious companywide effort to infuse into your organization the importance of 24/7 monitoring of all data, networks and internal processes
This infusion starts at the top and flows down to every aspect of your business. The security of your data needs to be a priority, making it important to implement the proper protections, whether internally or by partnering with a third-party provider.
Here are 7 questions every company should ask and answer to avoid the nightmare of a breach:
- Is your IT staff getting enough notifications?
Most incidents happen without your organization knowing it. Avoiding complacency requires security awareness. Find out what trips your security monitors and test these conditions regularly.
- Do you have a server dedicated to logging events?
Every file you receive, every connection to your server, every touch of an application, every update—log them all. Ensure your vendors and their software are configured for proper logging. And make sure someone is looking at the logs by consolidating them onto one server.
- Does every computer user know what to do if an incident occurs?
A user may have clicked a link in a phishing email or someone may have tried to penetrate your network security. Your first actions must be to isolate and limit the problem. Unplug the systems in question. Take them offline. Block your network access. If a client experiences a breach, block them so their problem doesn’t become yours.
- Have you reviewed your severity categorization rules recently?
Severity categories must be reviewed frequently as the nature of data breaches is always changing. Trojans, malware, ransomware and viruses that spread are always considered critical, but what about thumb drives, wireless access points and text messages? If you have installed new software, review your severity rules—and set up logging to enforce them.
- Do you know who to contact if the breach is credit card-related (PCI-DSS) or healthcare-related (HIPAA)?
After a breach occurs is not the time to assemble this data. Have it ready and available and, most importantly, available outside your regular IT/ERP systems. When an incident occurs, assume you won’t have access to your internal systems.
- Do you know the penalties for failing to notify required agencies or clients?
The federal HITECH law has potential fines as high as $250,000 per incident for failure to meet notification standards. Your insurance carrier may deny your claim if you fail to report a breach according to their requirements. Always know, and revisit frequently to update, the specific rules and regulations that apply to you and your clients. Also very important: Does your cyber insurance carrier have special instructions on who and when to contact them?
- Are you continually learning or just retraining?
If you haven’t invested in a phishing simulator for testing, this is a tool you shouldn’t ignore. Your security is only as strong as your weakest user reading a malicious email. It is important to never stop testing and never stop learning. If there are lessons learned, incorporate them into your incident response and risk mitigation plan.
Protecting and ensuring compliance is more than a full-time job. Without fundamental controls, there is a definite opportunity for data to be unmonitored, leaving a company open to a multitude of risks that, with the proper planning and processes, can be averted.
At DATAMATX, we make security our number one priority and are happy to offer your business professional expertise on developing and maintaining optimal security fitness.