High profile data breaches continue to appear in the news every day, causing organizations of all sizes anxiety around data protection. With over 10 million records exposed so far this year, as well as the rise in next generation threats like ransomware and malware, organizations can no longer pretend it won’t happen to them.
By approaching a data breach as a probability, rather than an impossibility, organizations are better equipped to mitigate damage following a breach. While many have spoken about the steps that should be taken during these first 24-72 hours, the steps not to take often get overlooked. Without this knowledge, company leaders could end up spreading the fire, rather than smothering it.
Ermis Sfakiyanudis, president and CEO of Trivalent, sat down with Inside Counsel to discuss exactly what not to do after a data breach. With 15 years of experience as an executive and entrepreneurial professional, Sfakiyanudis has established himself as a thought leader in the data privacy and business communities.
Industries are digitizing, meaning more and more companies are coming to rely on digital data and cloud computing to access, store and transmit information both inside and outside their organizations.
“With all this data now at their disposal, hackers and other malicious actors have an unlimited amount of opportunities to gain access to valuable data, such as protected health information (PHI) or personal identifying information (PII),” he explained. “Unfortunately, many companies still rely on traditional data protection technology like basic encryption, which has proven to no longer be enough to protect critical data from increasing threats.”
According to Sfakiyanudis, organizations need to think about data protection proactively. With the understanding that their organization will incur a breach, leaders can develop a defense-in-depth approach to protecting critical information, better preparing them to handle threats as they arise. In addition to continuous employee training, evolving security strategies, and a well-communicated incident response plan, companies should consider adopting next generation data protection technology as their last line of defense.
“Companies are not always prepared for security threats and don’t realize how quickly a data breach can occur,” he said. “A wrong click of a mouse by an employee could lead to a company-wide breach.”
To ensure company data remains secure, there are a few steps an organization should take, per Sfakiyanudis. First, educate employees on the risks they pose to the company when online and red flags to avoid. Second, stay proactive and make sure all systems are consistently updated. Finally, work with security and/or IT teams to discuss investing in next generation data protection solutions, which go beyond traditional encryption to protect data at the file level through a process of shredding and recombining data for only authorized users.
Since gaps in security strategies are exploited every day, it is important for company leaders to acknowledge their organization may have a similar gap. As businesses learn how to protect data from new threats, hackers quickly adapt in order to infiltrate each new shield put in front of them. “By recognizing a data breach has the potential to occur, and adopting strategies and technology that ensure data stays protected even in the event of a breach, organizations can remain one step ahead of hackers,” he said.
So, what are best practices for organizations to mitigate damage in the crucial hours following a breach?
It is critical that a breached company follows its incident response plan, which should include identifying the suspected cause of the incident as a first step, according to Sfakiyanudis. By determining the cause of the breach, an organization can see where the flaw in their data protection lies. Then, isolate the breached system and eradicate the cause of the breach. And, document everything and log results of investigations through data capture and analysis so they are available for review. Finally, once the threat has been removed, reassess your existing data protection strategies and technology to ensure you are prepared to protect your company data in the future.