[BreachExchange] Top 10 Ways to Protect Your Company’s Data

[Audrey McNeil]

http://www.jdsupra.com/legalnews/top-10-ways-to-protect-your-company-s-50024/

You know how important data is to your business and you have been hearing
about data breaches for more than a decade, but where do you find a simple,
straightforward summary of how to protect your company?   That is a
question we hear a lot, and not having a really great place to send people
who ask, we take advantage of two decades of helping to protect companies’
data to offer you the following orderly checklist, which will set you on
the right path to resilience in the face of all of the risks of our
data-driven world.

1.  Know what you need to protect

- Customer data, e.g., transaction and account records, profiles and
contact information, personal data and perhaps protected health information
of your customers or theirs, and perhaps including sensitive information
like social security numbers or payment card information;
- Your “crown jewels,” information that’s special to your business, like
your financial records, marketing plans and trade secrets;
- Confidential information, including things you’ve promised to keep in
confidence; and
Employee records.

2.  Know where it is

In thinking about how to protect your important data, you want to know what
you can about that data, including where it is collected, created and
resides and how it moves:

- on your servers;
- in a variety of types of “clouds” with which you have contracts;
- on mobile devices; and
- through email, wifi and other transmissions.

3.  Protect it, reasonably

- Do you encrypt the most important information at rest or in transit?
- Do you require strong passwords?
- How do you use anti-virus software, firewalls and intrusion detection to
keep the bad stuff out and know when it has gotten in?
- How do you know when your important data is leaking, or being accessed or
taken?
Is cardholder information handled exclusively by a secure payment portal?
- How is your important data backed up?

4.  Limit access and train

- Can you limit access to the data you need to protect to those who need
it, and terminate their access when they no longer need it?
- Can you train those with access in security awareness, e.g., to avoid
phishing attacks and to use strong passwords?
- What physical security is in place?
- Do you know at all times who should have access or has had access to the
data you need to protect?

5.  Control vendors with access to your data

Small and medium-sized businesses generally have difficulty keeping up with
constantly changing threats to data, so entering contracts containing the
right protections with the right secure cloud platforms is critical to
protecting your important data.  Cloud offerings vary widely in their
security and related assurances, so it is important to pick the right one
first, and then to get the right contractual provisions in place.  And
because you will rely on vendors to protect a lot of your important data,
contracts matter.  Particularly important questions include:

- What does the vendor offer in third-party audits and certifications?
- What else can the vendor promise about its safeguards?
- Will the vendor know if there is unauthorized access to your important
data, and will it tell you at the first signs of such access?
- What rights, if any, will you give the vendor in your data, or to any
data derived or created from your data?
- How, if at all, can the vendor share your data with any other entities,
and other what conditions?
- How will you get your data back at the end of the contract, or how will
the vendor protect what it keeps?
- If the vendor has access to your systems, how have you limited that
access to what the vendor needs to do its work for you?

6.  Know your privacy policy(ies)

These are the promises you make regarding personal data to which you may be
held accountable.  You almost certainly need one on your website and
provisions in your employee policies, and may need others depending on your
business.

7.  Plan for data loss or theft and other incidents

Data loss or theft will happen, no matter how good your safeguards are, or
your vendors’ safeguards are.  The key to preserving your customer
relationships and the value of your business and preventing lawsuits is
often great response, which, after doing it a few thousand times, we can
tell you is not so complicated:

Your employees and contractors must know where they must report any
suspected loss or theft of your data or unauthorized access, immediately.
You need to have a team ready to respond, who can deal quickly and
effectively with:

- containment and prevention of harm;
- communication with customers, other stakeholders and media;
notification and other legal obligations; and
- remediation and improvement of safeguards.

If you respond right, an incident that could really hurt your business can
actually build trust.

8.  Get coverage

The risks of lost or theft of data and business interruption are precisely
the type that insurance best addresses, because incidents will happen to
your data that are WAY beyond your control.  When you understand what your
risks are, and have taken the basic steps to prevent and prepare for
security incidents, you can choose the coverage that best addresses your
risks and needs.   Today, that coverage almost certainly includes specialty
cyber-risk coverage in addition to standard E&O, crime/fidelity and
commercial general liability coverages.  Companies should also review their
D&O and cyber-risk policies to determine whether there is coverage for
shareholder actions arising out of breaches or security events.  By taking
basic steps to protect your important data like the ones above, you can
answer the questions on the insurance application better and have a better
chance of avoiding the risk of claim denials later.

There is a lot to say about all of the available specialty cyber-risk
coverages.  Here are some basic considerations for starters:

- Definition of Computer Network: This definition lies at the heart of all
cyber policies. If your organization relies heavily on cloud services be
sure that “cloud computing” is included in the definition and is considered
a part of your “network” or “computer system.” In addition, if you have a
BYOD policy or suspect many of your employees are using their own personal
devices for work purposes, be sure that “mobile” devices are included
within the definition. Perhaps more importantly, consider whether the
definition contains an “ownership” requirement. Many definitions may
include mobile device, but only if the device is “owned” or leased by the
insured organization. If your employee conducts business on a personal
device (one not owned by the insured organization), and there is a breach
traced back to that device, will the cyber policy respond?
- Acts by Employees: Many cyber policies preclude coverage for intentional
acts by past and present employees under both the third-party liability
coverage parts as well as the first-party coverage parts. The exclusion
under the liability coverage parts usually contains an exception and is not
applicable, unless or until there is a final adjudication that the employee
did, in fact, commit the intentional act. However, this exception often
does not apply to the first-party coverages such as cyber extortion,
business interruption, or network asset protection. In addition, some
policies have broad exclusions that could be read to apply to employee
negligence in addition to intentional employee acts.  Business leaders need
to have a full understanding of the extent of coverage for acts by their
past and present employees and other members of their organization.
- Minimum Requirements: Some policies contain exclusions or conditions that
require the maintenance of minimum levels of network security, or provide
that coverage may not be available if the policyholder did not implement
certain security measures it stated it was implementing, in the application
for insurance. Business leaders should be very cautious of these provisions
and consult with a lawyer, experienced insurance broker and/or a network
security expert to be sure the requirements are reasonable and you can meet
them.
- Sublimits: All specialty cyber-risk policies provide for certain
“buckets” of insurance coverage applying to particular losses arising out
of the breach or security event.  Many specialty cyber-risk policies have
limits for certain buckets that are much lower than the policy aggregate
limits.  This is particularly true for certain first party losses, and
regulatory liability, payment card (PCI-DSS), and consumer redress
coverages.
- Coverage for Bodily Injury and Property Damage: Many specialty
cyber-policies exclude loss arising out of bodily injury and property
damage caused by a cyber-security event.  If you are a company with a risk
of such losses, review your coverage options carefully.  Some policies
available on the market provide such coverage.

9.  Get practice

Cybersecurity programs cannot be left gather dust on the shelf, because the
threats from outside are always changing, and even the threats on the
inside that are not changing as quickly can be soon forgotten.  If you have
visibility into your security incidents, you may not need tabletop
exercises, because you will be implementing your response program regularly
in the real world.  If you do not have the benefit of these regular,
real-world drills, however, consider a periodic practice session to kick
the tires of the process and see if there are opportunities to make it
better.

10.  Expect new threats & solutions

Many of the threats to your important data that are new come in big waves,
like a new virus or exploit or series of attacks from a nation state.   The
cybersecurity world is always watching and sharing information about these
changing threats and what companies can do to protect themselves. You do
not have time for that fire hose, but industry groups and your friends can
help.

In the last few years in particular, we’ve seen an increasing trickle of
technology that makes protecting your data something that small and
medium-sized businesses can do better than before, including new encryption
solutions, secure development platforms and limitations on where sensitive
data can be processed.   The threats to your important data will just keep
growing, but solutions to help us all cope with those threats keep on
coming as well.  The risk transfer solutions will be getting better all the
time as well.  We will get through it all with a little help from our
friends.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160310/276ab037/attachment.html>