High-Level Tips for Proprietary Information Breaches

A recent headline about the exposure of voter records by a contractor working with the Republican National Committee (RNC) turned heads due to the size of the breach (nearly 200 million potential voters) and how such information was stored in an unsecured cloud account. The records could be browsed without any login at all, exposing them for all kinds of illegal activities. The exposure underscored the need for multiple layers of security needed to manage private data, and the brand damage that comes with failing to protect that information.

For the CEO, management of data should be a primary concern. The modern business of course “runs on data” so any threat to the availability or security of the company’s lifeblood should be taken seriously.

While every breach or hacking incident cannot be prevented, upper management can work hand-in-hand with IT to greatly diminish the risks and make the business an unattractive target for hackers.

Mandate the Creation of a Formal Data Management Plan

The marketing and sales departments are required to create written annual plans in order to have some accountability that ties together their actions with results. IT should also have accountability when it comes to data management. C-level management should require IT to work with other departments to create a formal data plan that is transparent and details how every member of the organization can participate in data protection.

The plan’s details should answer several key questions, including:

• What are all of our data sources? How are they currently stored/analyzed/collected?
• Who has control over the data?
• Who internally is responsible for the data’s security?

When the direction for a data plan comes from the top, then it’s much more likely to receive serious attention, and force departments to think of data as assets that warrant the utmost protection. It sets the organizational tone towards data, by instilling the need for proactive moves to guard against loss, instead of a reactive approach.

Ensure Data Access is Controlled and Monitored

As a business grows, the CEO has new complexities to manage including additional staff and product offerings. Growth also means a greater number of users that must access data to perform their jobs. CEOs should work with their CTOs to ensure access is properly controlled and monitored. If an employee that normally pulls 5-10 customer records a day suddenly downloads 15,000 to a thumb drive, there needs to be a system in place to identify such actions. Upper management should mandate policies that are strict enough to limit data exposure but do not restrict staff from doing their jobs.

Ex-employees are unfortunately a common source of data breaches, as they often retain access rights long after they leave the company. Terminated employees should have their access revoked at the same time as their dismissal to prevent them from taking illegal actions, especially when they’re emotionally upset. Third-party vendors that need access should also be strictly managed, so push department heads to dig deeper into the vendors’ practices and track records with data security.

Demand Multiple Layers of Backups

Business continuity is vital for the success of any firm, especially those that run on the processing of information. To protect the business, management should require multiple data backups that can be utilized as fail safes in the case of data breaches or inaccessibility. Blending physical on-premises storage with trusted cloud providers enables firms to build “backups of the backups” that protect against theft, hacking, and natural disasters. Again, the data protection plan is essential, and it should detail exactly how data is backed up and who manages that process.

Data storage is exceedingly cheap, and a classic management “risk reward” where the costs are small compared to the downside of losing a valuable asset. Used correctly, a mix of storage options will ensure the business can continue operating without interruption.

In addition to pushing staff on creating a plan, controlling access, and managing backups, the CEO also needs to spark a cultural shift. They must make it clear that data security and protection is a “business” issue, not just a job for IT. The organization needs to have security professionals on the team who are proactively stopping breaches and poor data management practices. This style contrasts to the typically reactive and measured approach of IT.  CEOs will need to pick department heads who can transform the company’s approach to data to keep the company out of the headlines and protect customer privacy.

[Image courtesy: Blue Coat Photos]

About the Author

David Zimmerman has been in the hardware/software industry for over 30 years, and the data recovery software market for 18 years. During this period, he has been involved in the creation, marketing and support of the earlier drive recovery software products to enter the PC market and successfully marketed them both nationally and internationally. His company, LC Technology International, makes data recovery products for most of his competitors and is a global leader in data recovery, file system utilities and data security technology.