Protecting sensitive informations is getting more challenging for every organization.
Data breaches are part of the current landscape, and every company has to be prepared to face one.
Here, are 6 rules for good risk management, that your company should follow.
Having up-to-date policies significantly reduce your institutional risk.
There are various policies that your company could implement, like clean desk (don't leave important papers unattended on a desk), mobile device reset (wipe those assets if lost or stolen), incident response policies, etc.
An important policy, is the data classification policy, which ensure that employees know how data is classified.
In addition, you should have all employees sign a confidentiality agreement, in case sensitive information accidently makes it into the hands of an employee who would not normally have access to it.
Audits are helpful in finding the gaps in your security, prioritizing issues, and getting the funding you need to address security concerns.
They can be performed by a member of IT or your audit staff in survey form across your institution.
Some audits, are even mandatory: any institutions that use credit cards must perform a self-assessment yearly for PCI compliance.
Leverage technology by ensuring that your most critical assets are safe, using encryption. This will help prevent a breach when a virus or malware hits.
It is also important to encrypt sensitive data at rest on the network or in applicable database, through a combination of file share encryption or database encryption.
It is also important to have up-to-date versions of the softwares your company use.
Many vulnerabilities on endpoints for example, come from non-Windows software such as Flash and Adobe, so keeping those solutions updated is important.
Last but not least, always monitor your sensitive data, to make sure it does not leave the network due to disgruntled employees or mistakes.
Cloud-based monitoring tools can alert you when certain information leaves (or attempts to leave your network), helping you find or stop a breach.
4 Education and Awareness
Security awareness training should be mandatory for all employees.
It should include the evolution of security threats, state regulations affecting security, and the data classification and usage policies at your organization.
The training should educate employees on what data is most high risk and then it should clearly explain the requirements for working with, transmitting, and storing that data.
In addition to yearly training, it also helps to send regular newsletters to all employees.
5 Purchasing and Third-Party Providers
It is important to have third party assurance policies, that puts the onus on your third party if they have a breach of your data, and that require an evaluation to see whether the vendor has appropriate levels of security to handle your sensitive assets.
You might also want to leverage cybersecurity insurance as a risk management tool.
This will help from a risk transference standpoint when your institution does experience a breach.
6 Incident Response
When and if a breach occurs, having a good incident response plan will make the process go more smoothly.
All departments in your organization should know how to react to a breach: IT, finance, human resources, marketing, legal, and other senior officials.