While working on implementing the Federal Acquisition Regulation Privacy Act requirements for one of our clients, we explored ways to mitigate the insider/employee threat when it comes to disclosure of sensitive information. “Sensitive information” is broad and encompassing and includes information that is vital for a company to protect – such as, confidential and proprietary company data, personally identifiable and medical information, and/or various other categories of information requiring protection.
Here are Top 10 Methods to Secure Sensitive Data:
Properly define the information you intend to protect. Certain types of information such as personally identifiable or medical information have statutorily required protection schemes.
Review your information systems and data and identify where sensitive information resides and how it can be protected.
Implement information technology tools that will help to protect the information from internal and external intrusion.
Have policies and procedures that clearly set out expectations and requirements on handling covered information.
Conduct regular awareness trainings as part of an on-going training and awareness program to individuals handling your sensitive information, which includes the information of your company, your employees, your vendors, your customers, etc.
Use good business judgement when choosing with whom you share the information and incorporate Non-Disclosure/Confidentiality provisions into your standard documents, whether employment or contractual.
Establish and communicate breach response procedures to be followed in the event of a breach or a suspected breach.
Institute mechanisms to Continuously monitor data leakage and loss.
Look for continuous improvement opportunities.
Be proactive. Don’t wait.
In case you don’t think this applies to you, below are some interesting statistics:
52% of businesses admit that employees are their biggest weakness in IT security.
Most worry about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
In 46% of cyber security incidents in the last year, careless or uninformed staff have contributed to the attack.
Among the businesses that faced cyber security incidents in the past 12 months, 11% of the most serious types of incidents involved careless employees.
28% have lost highly sensitive or confidential customer or employee information as a result of irresponsible employees, while 25% have lost payment information.
Employee carelessness contributed directly to 48% of cyber security incidents, accounting for even more incidents than the theft of devices, which only contributed towards a third (37%) of incidents.
Poor Password Behavior is the #1 Thing Leveraged by Perpetrators: According to the Verizon DBIR, “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” That is by far the number one method used by perpetrators to breach companies, up 29% from 2016. The main problem is that regardless of the password policies set by companies, employees bring their poor password behavior with them from outside the office. Over 70% of employees are reusing passwords at work (the Dropbox breach, which consisted of over 60 million user credentials being stolen, was enabled by an employee reusing a password at work). This includes passwords that protect the accounts of highly sensitive company and customer information. Additionally, employees are sharing unprotected passwords with co-workers and storing passwords insecurely.
IBM and the Ponemon Institute teamed up to produce their 12th annual Cost of Data Breach Study this past summer. The results are staggering and they can help you make a case to executives:
We’ve helped numerous companies protect their bottom line better through risk mitigation in this area - take advantage of our experience and lessons learned, give us a call to find out how we can help you.