You're Never Too Big (or Small) for Your Breaches

cybersecurity_zheckData breaches are reported nearly every day, and many are prominently featured as part of the 24-hour news cycle. Target, Uber,, Neiman Marcus, and many more have dominated the media over the last few years because of breaches (click the links for more information and commentary on each of these breaches).  Even breaches affecting a smaller number of people cannot escape coverage from local newspapers and online journalism.  Even if your company is not as large or well-known as Target, it is still a "target" to hackers and cyber criminals (not to mention the good employee who accidentally sends the wrong email to the wrong person at the wrong time).  The point is that every company, regardless of size or stature should be prepared to respond to a data breach:  it is not a question of IF you will suffer a breach, but WHEN.

And consumers are holding companies accountable when they fail to effectively prepare for breaches. Earlier this month, IT security specialist Centrify released a study finding 66% of U.S. consumers are at least somewhat likely to stop doing business with a company that has suffered a breach.  In the United Kingdom, 75% of consumers said they are somewhat likely to stop doing business after a hack.  The survey also confirmed that most adults accept breaches as inevitable (not a matter of "if," but "when").  Indeed, the majority of people hold corporations accountable for securing customer data.

If breaches are inevitable, then what can companies do to maintain the confidence of their consumers when so many are likely to take their business elsewhere? Here are just a few things you and your company can do.

1.      Understand the Data You Have

Companies of all shapes and sizes keep data. Personnel records, consumer information, personal health information, login credentials, trade secret documents, and marketing/analytic research are all attractive targets for cyber criminals.  But not all data is created equally.  Your company's Twitter password is not as sensitive as a patient's medical record.  Therefore, companies should classify the data they keep:  Is it high, medium, or low risk data?  Is it confidential, public, or proprietary information?  Once you know how best to classify your data, you can allocate resources to protect that data accordingly.

Classifying the data you keep is an important first step, but you cannot safeguard what you cannot locate. Businesses should map the digital and physical locations of where information is stored and where information flows.  What data is located in technical locations like databases, servers, and systems?  Do you keep hard copies of information in an office or off-site?  A file cabinet or a locked safe?  How does that data flow?  Is data shared internally from one room to another, or is it shared from internal locations to external locations and third parties?

Once you understand the data you have and where it is located, you can begin investing in technical, physical, and administrative safeguards efficiently to maximize security and minimize costs.

2.      Safeguard Your Data

Companies can safeguard data by using of technical, physical, and administrative safeguards. Technical safeguards are usually the first things we think about when it comes to cybersecurity:  encryption, antivirus software, intrusion detection systems, strong passwords and user identity management, and even biometric security.  The Centrify survey found that simple passwords are typically still the only measures taken to secure data.  But in the past two years, billions of usernames and passwords have been stolen.  Relying on just passwords is risky because passwords are simple for attackers to crack; especially since passwords are too often reused across apps, sites, and services.  Therefore, companies should invest in multi-layer authentication and additional technical protections to thwart cyber criminals.

But technical safeguards are just one piece of the puzzle. Too often, physical safeguards are overlooked.  But for individuals dedicated to breaching an organization, an onsite visit can be an easy way to gain access to valuable information.  Physical security can take many different forms:  locks and access control keys, surveillance equipment, and security staff.  These safeguards can detect and deter possible intruders attempting to access information in person.  If you have sensitive information in hard copy or some other physical form, make sure it is safely secured in a locked cabinet or safe.

Finally, your staff can serve as one of your strongest safeguards. Businesses should draft policies and procedures on how to handle data and information.  Businesses should invest time to educate staff on these policies and procedures and assess the effectiveness of that training.  Develop policies relating to security management processes, user authentication, data retention and destruction, mobile and wireless communication, and social media use.  Train your employees on what to do if they spot an email that seems suspicious.  Instruct your staff on how to report irregular activities both on their computers and in their workplace. Your employees can be a formidable first line of defense for data breaches; equip them with the knowledge and training they need to safeguard your data.

3.      Prepare for WHEN You Are Breached, Not IF

Like the Centrify survey found: we all understand that breaches are inevitable.  Consumers will understand if a company is breached and is able respond in a swift and responsible manner.  But to have an effective breach response, companies must plan for the inevitable and practice that plan. Companies should devise an incident response plan that is carefully crafted to the needs and particularities of your business.  Such a plan should also include having a team in place that can navigate the legal, PR, forensic, and operative issues that can (and will) come up.

Once your company has a plan, test it out! Hold tabletop exercises and practice how the staff would react upon learning a security incident exists.  See what works and what does not work and then update your incident response plan accordingly.  Consumers expect breaches to happen.  But consumers also expect that businesses will be prepared for when a breach does occur.  Having a carefully thought-out and well executed plan will help your business maintain the trust of its consumers even during the stress of a cyber incident or data breach.

Data governance can feel overwhelming. Last year, the U.S. Department of Justice released fifteen pages of guidelines for outlining best practices for victims and potential victims of data breaches. All in all, those fifteen pages can be summed up in three main points:  (1) plan thoroughly, (2) respond swiftly and responsibly, and (3) retain experienced legal counsel to assist in your data governance efforts before, during, and after a breach.  The key is to be proactive instead of reactive.  Whether you are a massive global business empire, or a smaller mom and pop store, you are never too big, or too small, for your breaches.

About The Author

Zach Heck |