I spent my morning reading through the 2010 Data Breach Investigations Report that was just published by the Verizon RISK Team and the United States Secret Service. This is an amazingly insightful report with lots of information to digest. If the topic of data breaches interests you, I highly recommend finding time to read through it.
Data breaches are expensive. According to the Ponemon Institute’s 2009 Cost of a Data Breach study, the average cost of each compromised record is $204.
Here are 5 quick recommendations that I’d like you to consider:
- Recognize your data: Before you can protect confidential, sensitive and important data you must first go through an exercise of identifying where it lives, who has access to it, how it’s handled, what systems it touches, and make sure any and all interactions with the data is fully visible and auditable.
- Take proactive precautions: The majority of breaches were deemed “avoidable” if the company had followed some security basics. Only 4 percent of breaches required difficult and expensive protective measures. Enforce policies that control access and handling of critical data.
- Watch for ‘minor’ policy violations: The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should investigate all policy violations. Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
- Monitor and filter outbound traffic: At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
- If a breach has been identified, don’t keep it to yourself: Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.
I’m going to end this blog post by asking you to estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.