Not a day goes by that we don’t hear about some kind of data breach. No industry is immune. It is essential for companies of all sizes to have a plan for how to deal with hacks, breaches or leaks. Jennifer Gladstone sat down with Phillip Gordon of Littler Mendelson to find out what you can start doing today to up your odds of beating a breach.
Over the last few years consumers have been shocked by the number of huge companies falling victim to data breaches. From Sony to Target, Home Depot and health insurance giant Anthem, personal information is being stolen by the truckload.
If business owners believe they are not going to be targeted because they are too small, they are putting their heads in the sand. There are only so many big fish out there. Soon, medium sized and even smaller companies could find themselves facing the mess that is a data breach.
Phillip Gordon // Littler Mendelson: I think people are nervous. You see all of these large sophisticated companies getting hacked, and you are a smaller company without the budget that these huge companies have for information security and you wonder, is my organization vulnerable?
It’s an important question to ask. If a breach is not handled well it can cost you customers and possibly years of litigation expenses and headaches.
Phillip Gordon: The very first few days after a security incident are critical in terms of developing strategy and the team that is responding to the incident needs to be able to communicate frankly about what happened.
A recent study showed more than two-thirds of companies do not feel prepared to respond to a security breach. Even the remaining third -- who have security incident response plans -- say they still don’t feel confident. Part of that concern could be the fear of an attack from an unknown entity -- an outsider. But the real problems could be under your own roof.
Phillip Gordon: The general perception is that security breaches are the result of hacks. Hacks do account for about a third of security breaches, but the other two thirds are the result of some type of either human error or intentional conduct. So, a lot of this is a people problem that organizations can mitigate the risk.
Mr. Gordon says there are several steps companies should take to protect themselves.
The number one step is implementing an overall information security program. This not only includes technical safeguards like firewalls and anti-virus protection, but also physical and administrative safeguards like monitoring who’s walking into your facility. He also says you should put policies in place for employees who handle data. These policies can be as simple as making sure they lock their screens when they walk away from their desks, or requiring them to use screen protectors if they work remotely.
You should also make sure that all mobile phones and other portable devices are encrypted, and train all of your people about the importance of information security. These steps apply to companies of all sizes, and as we mentioned earlier, small businesses are by no means exempt.
Phillip Gordon: One of the advantages of being in a small business is that you know your people -- they are your team, they care about the business, they own it too, and you can sit down and talk to them about being careful, about making sure when they are travelling that they are taking good care of their laptop or their smart phone, that they are not putting sensitive client data on a thumb drive or a cd that can easily be lost or stolen unless it’s encrypted, that they think about who they are mailing sensitive data to before they mail or email it, watching the address, watching the attachment, slowing down just a little bit. This is not just an IT problem, it is an organizational wide challenge and everyone in the workforce can contribute.
Mr. Gordon calls this having a ‘culture of stewardship of data.’ A little time and effort goes a long way when your employees are invested in data protection. A study from the Ponemon Institute found that 43% of all companies experienced a data breach of some kind over the last 12 months. The prudent question might not be if it will happen to you… but when. And with the average breach remediation costing close to $6 million, this is an issue no company can afford to ignore.