Updated: Feb 10, 2020
While working on implementing the Federal Acquisition Regulation Privacy Act requirements for one of our clients, we explored ways to mitigate the insider/employee threat when it comes to disclosure of sensitive information. “Sensitive information” is broad and encompassing and includes information that is vital for a company to protect – such as, confidential and proprietary company data, personally identifiable and medical information, and/or various other categories of information requiring protection.
Here are Top 10 Methods to Secure Sensitive Data:
Properly define the information you intend to protect. Certain types of information such as personally identifiable or medical information have statutorily required protection schemes.
Review your information systems and data and identify where sensitive information resides and how it can be protected.
Implement information technology tools that will help to protect the information from internal and external intrusion.
Have policies and procedures that clearly set out expectations and requirements on handling covered information.
Conduct regular awareness trainings as part of an on-going training and awareness program to individuals handling your sensitive information, which includes the information of your company, your employees, your vendors, your customers, etc.
Use good business judgement when choosing with whom you share the information and incorporate Non-Disclosure/Confidentiality provisions into your standard documents, whether employment or contractual.
Establish and communicate breach response procedures to be followed in the event of a breach or a suspected breach.
Institute mechanisms to Continuously monitor data leakage and loss.
Look for continuous improvement opportunities.
Be proactive. Don’t wait.
In case you don’t think this applies to you, below are some interesting statistics:
More than 50% of U.S. businesses experienced a cyber attack in the past year.
According to the Netwrix 2018 Cloud Security Report almost 58% of organizations that had security incidents over 2017 blamed them on insiders.
Kaspersky – The Human Factor in IT Security : Kaspersky Lab and B2B International studied over 5,000 businesses around the globe and found:
52% of businesses admit that employees are their biggest weakness in IT security.
Most worry about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
In 46% of cyber security incidents in the last year, careless or uninformed staff have contributed to the attack.
Among the businesses that faced cyber security incidents in the past 12 months, 11% of the most serious types of incidents involved careless employees.
28% have lost highly sensitive or confidential customer or employee information as a result of irresponsible employees, while 25% have lost payment information.
Employee carelessness contributed directly to 48% of cyber security incidents, accounting for even more incidents than the theft of devices, which only contributed towards a third (37%) of incidents.
Poor Password Behavior is the #1 Thing Leveraged by Perpetrators: According to the Verizon DBIR, “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” That is by far the number one method used by perpetrators to breach companies, up 29% from 2016. The main problem is that regardless of the password policies set by companies, employees bring their poor password behavior with them from outside the office. Over 70% of employees are reusing passwords at work (the Dropbox breach, which consisted of over 60 million user credentials being stolen, was enabled by an employee reusing a password at work). This includes passwords that protect the accounts of highly sensitive company and customer information. Additionally, employees are sharing unprotected passwords with co-workers and storing passwords insecurely.
IBM and the Ponemon Institute teamed up to produce their 12th annual Cost of Data Breach Study this past summer. The results are staggering and they can help you make a case to executives:
Average Cost of a Data Breach
Globally: $3.62 million average cost of a data breach, up 17% since 2013
In the U.S. only: $7.35 million average cost of a data breach, up 25% since 2013
Average Cost per Record Breached
Globally: $141 average cost per record breached
In the U.S. only: $225 average cost per record breached
We’ve helped numerous companies protect their bottom line better through risk mitigation in this area - take advantage of our experience and lessons learned, give us a call to find out how we can help you.