[BreachExchange] 5 Tips For Making Data Privacy Part Of The Company’s Culture
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jun 23 20:08:04 EDT 2016
http://www.darkreading.com/operations/5-tips-for-making-data-privacy-part-of-the-companys-culture/d/d-id/1326020
By now, the news has been well reported in the press. The Federal Deposit
Insurance Corporation (FDIC) admitted in May that it has experienced at
least five major data breaches since last Oct. 30.
While all five apparently took place when employees left the agency with
thumb drives that contained sensitive data, two of the cases have been
identified as extremely problematic. In one case, PII on 44,000 FDIC
customers was compromised and in another case, 10,000 Social Security
numbers were compromised.
Dana Simberkoff, chief compliance and risk officer for software firm
AvePoint, says that these kinds of breaches are avoidable if organizations
had more defined data protection policies and coordinated those efforts
with every department in the organization.
“Data protection has to be everyone’s job,” Simberkoff says. “Too often,
the line-of-business people just think they are there to do their jobs and
make money. IT wants to service the business, the security team is focused
on hackers and privacy advocates focus on compliance. They are all off
doing their own functions.”
Simberkoff offers five best practices organizations can use to make data
protection more of a priority:
1. Get the HR department more involved. A lot of organizations will just
form a committee of top people from all the departments and let the issue
slowly die. Start by getting the human resources department more involved.
After all, they are the ones who will have to explain the company’s data
policies to employees when they enter and exit the organization. They are
also responsible for explaining any changes to the company’s data policies
and will help coordinate any awareness and educational efforts.
2. Develop a clear employee exit strategy. Organizations need a plan for
when employees leave voluntarily and for when the employees are asked to
leave. While it’s up to the organization how much they want to supervise a
fired employee, in both cases they have to have set expectations up front
when the employee enters the organization so there are no
misunderstandings. Think in terms of low, medium and high for access. Once
an employee gives notice, it makes sense to ratchet down his or her access
to classified information and give them only the information they need to
do their job until they leave.
3. Create a plan for protecting corporate data. Part of the problem in the
FDIC case was that the employees commingled personal and agency data. It’s
getting more and more difficult for IT organizations to separate personal
data from company data. However, IT departments can protect corporate data
by properly doing discovery, tagging, classifying, protecting, and then
auditing the data regularly. By doing this, the organization can also
prepare for the EU’s General Data Protection Regulations, which go into
full effect May 25, 2018. Any entity that has a European operation, even if
it’s only online, must abide by these new regulations. Stiff penalties of
up to 4 percent of a company’s annual revenues are at risk in a data breach.
4. Keep close tabs on the organization’s data access policies. As a general
rule, employees should only have access to the data they need to do their
jobs. Think of data access as low, medium and high. If the employee has
been assigned to a special project where they need a higher level of
access, let them have it for the duration of the project, but have a
program in place that supervises and tracks their move back to the normal
level of data access. Companies need a system that assigns access levels
and constantly reviews the organization’s data requirements.
5. Try to limit shadow IT. Line-of-business managers resort to shadow IT
when privacy and security practices by corporate IT stymies them, driving
them to use SaaS services that they can easily provision, often at a lower
cost. Rather than fighting the trend, corporate IT must embrace the cloud
and work more closely with the line-of-business people to understand their
requirements and get them the applications they need to get work done. In
many cases, cloud computing offers greater security and there’s much less
chance of a serious breach if IT knows what’s going on and can put the
proper security controls in place during the negotiations with the cloud
provider.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160623/a955192a/attachment.html>
More information about the BreachExchange
mailing list