Data Breach: No Company Immune

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ethanolproducer.com/articles/12001/data-breach-no-company-immune

If your boss asked you to guarantee that your company would never suffer a
data breach, would you do it? That may be a little extreme, but what if he
simply wanted your assurance that every reasonable step had been taken to
prepare for, prevent, or respond to a breach? Could you give it?   If you
answered no to the second question, you're not alone.


If any good has come from the high-profile data breaches over the past
year, it is that more companies are recognizing that no company and no
sector of the economy is immune from the threat of a compromise. The
prospect of class action litigation, regulatory action, harm to reputation
and significant financial losses are just a few consequences. But even with
the many reports of breaches, as well as the increasing and unpredictable
threats to data security, many companies have still not done enough to
prepare for, prevent, and respond to an incident.

Today, technology seems to be everywhere. From agriculture to energy to
retail to financial institutions and health care, technology influences how
we produce energy, grow food, work, communicate, and live our daily lives.
These technological advances may not only save time and improve
productivity, but many can help make us more secure or save our lives.

But what about the information that is gathered, analyzed, used, and stored
by all this technology? The same technology that can help a farmer produce
more or better crops, an energy company develop or market energy resources,
or a financial institution quickly manage corporate accounts could itself
be compromised in a data security incident, potentially jeopardizing the
security of sensitive, confidential, or proprietary information. For many
companies, this could not only damage their competitive edge, but open them
up to extensive legal liability or regulatory action. For their customers
or employees whose information may have been compromised, a breach can
bring long-term anxiety over identity theft or stolen funds and destroy
consumer confidence. Over the past year, a number of American businesses
and consumers have seen firsthand these and other results of significant
data breaches.

As companies have worked to respond and recover from such breaches, some
important lessons have been learned along the way.  Regardless of the
sector of the economy in which a company operates, regardless of its size
or success, it could be at risk for a data security incident. It’s smart to
be proactive. Identify the threat landscape as it applies to your company’s
specific business model. Assess the risk. Ask basic questions about the
very information that could be subject to compromise. Who is collecting the
data?  For what purpose?  What specific information is being collected?  Is
it business or personal? What is being done with the data?  How will it be
used—for marketing, regulatory, or other government purposes? Who has
access to it?  Will it be stored, and if so, for how long? Will it be
shared with the government or with third parties? Are there legitimate
privacy concerns that must be considered, and if so, what is the reasonable
response? Are there tangible measures that can and should be taken to
reduce the impact on privacy?

Why are these questions important? Because the answers will help you shape
and implement reasonable and responsible measures to reduce the risk and
effects of a compromise, long before such an incident occurs. Some of those
measures might include: identifying and setting appropriate limits on the
type of information collected; specifically assessing who should have
access to the information, and then defining that category; clarifying
under what conditions data may be shared more broadly; stating clearly how
long it will be retained, and developing a clear and effective incident
response plan. There should be effective policies and procedures in place
that guide and inform how a company acts to prevent or mitigate the risk of
a compromise.

As we have learned from recent data breaches, a proactive and responsible
approach by individual companies to think through risk and compliance
issues before a breach occurs will put a company on much better legal,
regulatory, and technical footing if a breach does, in fact, occur. This
not only benefits the company as it looks to rebuild its reputation, but
its customers, shareholders, and employees as well. And it means that when
your boss asks you how well-prepared your organization is, you can finally
give him that assurance he's looking for.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!