It’s not “if” a data breach occurs, but “when”. Learn the 6 best practices to prevent a data breach and help you organization better prepare.
If your organization handles customer information, preventing data breaches using best practices and an acceptable NIST framework must be your top priority. Unfortunately, data breaches are commonplace in today’s modern world, even as cybersecurity standards and methods continue to change and improve. The result of such a breach can be catastrophic for an organization in terms of both finance and reputation.
Understanding the full cost of a data breach is the first step in raising organizational awareness. Then, learning more about the six best practices to prevent a cybersecurity breach will help your organization to establish a plan of action. After all, preparation is the key to success!
The Cost of Data Breaches
A report conducted by the Ponemon Institute uncovered a number of unsettling statistics regarding the true cost of data breaches in 2021. By analyzing data breach costs reported by over five-hundred and thirty organizations across seventeen geographies and seventeen industries, researchers were able to identify global benchmarks regarding data breaches:
- Average total cost of a data breach: USD $4.24 million
- Most expensive country for data breaches: United States, USD $9.05 million
- Most expensive industry: Healthcare, USD $9.23 million
- Average number of days to identify and contain a data breach: 287
Other noteworthy data includes the fact that the average cost of data breaches has increased by ten percent in the past year. The cost per breached record is now $180, up from $146 in 2020. Globally, the healthcare industry has the highest breach costs—up 29% in the past year and the highest industry cost for the past 11 consecutive years.
Besides the significant financial setback of a data breach, the other largest cost is a loss of business. Across all industries, loss of business has been the biggest breach cost, averaging a cost of $1.59 million or thirty-eight percent of total breach cost. Customers often feel betrayed or misled about an organization’s security procedures after their data is compromised. This can lead to them choosing a competitor with a better—or at least perceived-to-be-better—data security framework.
The Best 6 Practices for Avoiding Data Breaches
Managing your organization’s cyber-risk is a multi-faceted, whole-organization effort that requires teamwork from every member of your staff—from top to bottom. With 95% of data breach incidents reported as the result of “human error”, implementing these best practices can help your organization avoid these costly breaches before they occur.
1. Involve employees in protecting your data with regular training.
Human error is the most common cause of data breaches, therefore an educated workforce is your best defense against these slip-ups. After all, an organization’s security is only as good as the least knowledgeable person with access to internal networks and databases. Training sessions should educate all employees on the policies and procedures in place to prepare for cyber threats and explain their roles in responding to a security incident. Implementing regular training on how to encrypt data, generate strong passwords, properly file and store data, as well as how to avoid malware can empower employees to avoid costly mistakes. Work with your security and human resources teams to create a resource that informs employees about new scams or potential risks as they occur—focusing on phishing scams or vulnerable websites in particular.
2. Data retention- keep only what you need.
Cyber criminals can only steal information that an employee or organization has access to. Limiting data availability can minimize the risk of valuable client information being stolen. This involves taking steps such as:
- Inventory the type and quantity of information in company files and computers
- Reducing the volume of information collected and retaining only what is necessary
- Not collecting irrelevant or unnecessary data
- Minimizing the number of places where personal, private data is stored
- Knowing what information your organization keeps and where it’s stored
- Only store records for as long as your audit type requires. If you still need access to this data, archive the records in a secure location.
By keeping the depth and volume of the information you collect slimmed down, you prevent malicious parties from accessing a full profile of the data they want to manipulate.
3. Secure company computers and networks with an acceptable framework from NIST.
All company computers should operate under strict security protocols. Implementing password protection and “lock-out” functions—which requires re-login after periods of inactivity—can keep devices secure both in and out of the office and be used to prevent brute force attacks to gain access to the information. All employees should know to never leave their devices unattended while in use. This is especially important with the increase in remote work due to the COVID-19 pandemic.
For network security, investing in a personal or corporate VPN can help keep data secure by encrypting the data in transit across networks. A VPN creates a secure tunnel from one endpoint to another, such as an employee’s home and office. With the high prevalence of Wi-Fi hotspots—some legitimate, others not—in today’s remote world, having this system in place is important for keeping company and employee mobile devices risk-free.
4. Implement intrusion detection, logging and monitoring.
Intrusion detection and prevention should be in place for all mission-critical systems, as well as systems that are accessible from the internet. These include web servers, e-mail systems, servers that house customer or employee data, and active directory servers. With these checks in place, team members can quickly notify your organization’s security management team about even the hint of a breach.
If you aren’t already gathering logs, auditing Active Directory (AD) changes, and monitoring all information via security information and event management (SIEM) technology, now is the time to start. Logs can detect suspicious activity and therefore, a critical part of compliance; many cybersecurity frameworks require some degree of log collection and management.
By gathering and analyzing logs, organizations can catch risky activity early on as they help to create a timeline of events. With alerts set up to flag anomalies, security teams can take a closer look, which could help detect an intruder or catch unsafe or potentially malicious behavior from an insider, like an employee or a partner.
5. Require the compliance of third-party vendors.
Any and all outside vendors who have access to sensitive information filtered through your organization must also be held to the same standards as your own company. Your organization should only work with other parties that have the correct security and regulatory designations. While groups lacking these certifications may be cheaper to partner with, this is the wrong area to cut costs. Working with a less-than-reputable organization increases your risk for breaches and lawsuits from disgruntled customers. Transparency is something any reputable vendor will offer your organization—if they don’t, it may be a red flag for bad business practices. For further guidance, review the NIST Vendor Management Framework for best practices in vendor selection and management.
6. Conduct regular audits and penetration tests on your cybersecurity framework.
Regardless of the industry your organization operates in, completing regular audits to identify potential gaps or governance can aid in validating your cybersecurity measures. A security audit—of which there are many types—examine the overall nature of your organization as well as how your organization handles information security.
Common questions that can arise after an audit is conducted include:
- Does your organization have documented information security policies?
- Is there a Disaster Recovery and Business Continuity Plan in place?
- How does your organization remediate vulnerabilities?
- Are all applications tested for security flaws?
- Is there a change management process in place at every level within the IT environment?
- How are files and media backed up? Who will be able to access this back up? Are restore procedures tested?
- Did the auditors note any limitations?
- Did the staff cooperate and effectively communicate with the auditors?
- Were there any changes to the audit plan that occurred during the assessment? Why?
- Was the staff assigned to the audit have the necessary knowledge and skillset?
- Was there any documentation requested that the organization could not provide?
- Was the auditor onsite or offsite and which worked best for the organization?
If your organization lacks clear answers to any of these questions, it’s time to take proactive steps to improve the cybersecurity framework.
Many organizations are adopting the cost-effective NIST Cybersecurity Framework with every passing year. By using the framework, organizations can better understand and mitigate the risks facing them every day by maximizing the amount of money spent on cybersecurity. By doing this, organizations can see what activities are most important to critical service delivery and ensure that they’re allocating proper resources to protect themselves. Organizations who have used the framework have reported stronger protections and enhanced cybersecurity policies.
Penetration tests are also a great way to test your information security posture by simulating an attack by a malicious actor. Designed to test the information security of the technologies and systems in place at an organization, penetration testing identifies specific vulnerabilities before the bad guys do, mitigating the risk of a data breach or phishing scam.
Establishing an Action Plan if Data Breaches Occur
Despite using the previously mentioned steps to bolster your organization’s cybersecurity, data breaches can still occur. But this isn’t a cause for panic if your organization is prepared. A well-developed action plan should include the following:
- An internal team whose entire focus is guiding your organization through the data breach from start to finish
- The identification of external data security resources, who can aid with recovery and rehabilitation of your organization’s morale, security measures and reputation
- Differentiation between types of data breaches—minor breaches can be delegated to a single member of the internal security team, while major breaches may require a more advanced remediation plan
- An action item checklist in order of priority to the continued functionality of your organization, with items such as:
- Recording the date and time of the data breach
- Finalizing and activating the internal and external response, depending on breach type
- Securing any equipment or systems believed to be a part of the data breach
- Interviewing those with critical and relevant knowledge about the breach
- Establishing a plan for the upcoming days
- Frequent reviews and updates to ensure the action plan continues to be valuable and effective for your organization
Mishandling or being ill-prepared for a data breach can compound an already difficult situation. But with a well-thought out, constantly adaptable action plan in place, your organization can minimize the negative effects associated with a data breach.
How A-LIGN Can Help
With years of experience building compliance frameworks for organizations of all sizes, A-LIGN is prepared to help you avoid data breaches. By building a customized compliance roadmap, establishing a business continuity plan, and conducting regular penetration testing, A-LIGN prepares your organization not only for today’s risks but also provides you with best and next practices to offer a competitive differentiator.