Today, virtually every firm, organization, and government entity relies on the collection and processing of data about their customers, clients, members and employees. Storing and processing all this data has, however, made data protection a major risk-management issue. The court case on Safe Harbor this past week is a reminder that data comes with rules and guidance regarding how and when it can be used, as well as requirements to protect said information. How can those who store and process data ensure that they live up to these standards?
The cost of poor data protection
The financial costs of a data breach or a cyberattack can be high and can have long-term effects. The interference created by a data breach or cyber incident may cause revenue loss, hardware and software damage, litigation fees, reputational damage, forensic analysis costs, notifications costs, and possibly credit-monitoring costs – all to be borne by the victim of the breach.
Data protection needs to be a priority for the entire organization
How to manage and mitigate these risks should be a key issue for the Board of Directors and “C suite” of any company that stores data on its servers or shares it across networks. How to manage access to corporate networks and how to manage the data retained by the corporation should be considered at the highest level. This is not an IT-department issue – it is a risk-mitigation and compliance issue that is best addressed before a breach places information in harm’s way.
But data protection also needs to be part of the overall corporate culture. Training needs to be done to educate all network users on best practices to protect both the IT system and the data it holds. Education and awareness could go a long way towards advancing system-wide protections. Policies and protocols should be in place for what data should be collected and stored, for how long, as well as what should be purged from the system on a regular basis. A recent study noted a majority of companies are not practicing basic security, and that 92% of breaches could have been prevented with basic measures like encryption, secure data backup, and data access control.
Cyber-insurance: Necessary, but adds complexity
A common mantra in cybersecurity is that it’s no longer a question of if but when you will be breached. Cyber insurance offers a valuable safeguard from the financial damage that a data breach can impose on a company, but you need to understand your coverage and what types of losses may not be insurable. A major challenge for both the company and the insurance industry is keeping up with compliance and regulations in this area. Failure to understand what is expected of companies that house large amounts of customer data may mean they are in compliance one day and out of compliance the next. Predicting the future is a challenge for both the company seeking insurance protection and the insurance market.
Creating best practices for security controls on all points of access to network operations will allow for a much higher capability to prevent and mitigate cyber intrusions. If corporations take the time to put rules in place to create a culture of cyber preparedness and responsiveness, they will be much more capable of controlling cyber risk and keeping data and IT systems safe and secure – without the need for the Europeans to remind us that data has a value to both individuals and the market.