By: David Cole
Recent times have produced major headlines for data breaches. Yet, these headlines usually focus on major incidents like the Target and Neiman Marcus data breaches, which could lead to the mistaken perception that only large organizations are at risk. Well, if you think you're not at risk, guess again. Any organization with information about its customers, employees, or other individuals is exposed. Statistics show that small and medium businesses are increasingly being targeted. So, as we look forward to the future, here are three steps you can take now to reduce your data breach exposure.
1. Buy Cyber Insurance
Costs associated with a data breach can be quite large, but usually are not covered by traditional liability policies. So, many carriers now offer cyber insurance that is specifically designed for the risks of a data breach. Coverage may include reimbursement for first-party costs such as legal fees, forensic experts, notification letters, and business interruption. Other policies may cover third-party claims by individuals harmed by the breach.
According to the Ponemon Institute's recent Cost of Data Breach Study, these expenses cost U.S. organizations an average of $188 per compromised record last year. When you consider that the average breach involved 28,765 records, you can see why obtaining coverage for your organization is a wise move.
2. Establish a Culture of Data Security
In its 2013 Data Breach Investigations Report, Verizon reported that, despite the attention often given to the latest technologies, data breach statistics continue to be "dominated by well-known techniques, used against the same sort of assets, again and again." It thus cautioned businesses that "most breaches could still be easily prevented."
To lower your risk, set a goal to make data security a prioritized, "board room" issue this year. Do not relegate it to the IT department. Conduct a risk assessment, learn what data your organization has, how it stored, how it can be accessed, and what you are doing to protect it. If you do not yet have data security policies that require firewalls, anti-virus, encryption, and strong passwords, then do it now.
Of course, policies are useless if not followed by your employees. According to a recent survey by The Financial Times, 93% of workers admit knowingly violating security policies designed to prevent data breaches. So, do not "set it and forget it" with your data security policies. Regularly communicate the risks of data breach and how to prevent it. Teach your employees how to recognize phishing techniques that expose your organization to hackers, malware, and viruses. A little investment now will save you time and money later.
3. Create a Data Breach Response Plan
No security measures are perfect and most organizations will eventually experience a data breach. According to the Ponemon study, U.S. organizations that had a data breach response plan reduced their costs by approximately $42 per compromised record. Organizations that hired consultants like legal counsel and computer forensics experts lowered costs by another $13 per record.
Your plan should thus identify a Data Breach Response Team, including not just individuals within your organization, but your legal counsel, computer forensics expert, and other consultants. Map out the procedures to follow in the event of a breach and who will be responsible for which tasks. You do not want to be sorting through these issues on the fly after a breach occurs.
Working with legal counsel is especially important to protect as much as possible by the attorney-client privilege. Bear in mind that your data breach counsel may not be your regular attorney, as it is important to work with someone who is experienced with the process, can help you navigate the myriad of notification laws, and help you guard against the potential of third-party claims down the road.