Businesses store vast amounts of information. A security breach occurs when an intruder, employee or outsider gets past an organization's security measures and policies to access the data. This sort of security breach could compromise the data and harm people. There are various state laws that require companies to notify people who could be affected by security breaches.
A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.
Just to mention I would like to mention on the notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.
Uncovering a security breach depends primarily on the method of discovery, as some methods inherently take longer than others. This also depends on the maturity of a security program implemented in an organization that directly reflects the ability of an organization to detect and respond to threats. It is important to remember that speed is not the only critical factor in incident response as execution of a well-conceived plan is equally critical while detecting and responding to breaches. Acting fast just for the sake of speed increases the risk of making mistakes, resulting in higher costs or needlessly extending the time necessary for full incident mitigation. Unfortunately, third parties discover data breaches much more frequently than victim organizations themselves.
Physical Security Breach
One form of breach is a physical security breach, wherein the intruder steals physical data, such as files or equipment that contains the data. Intruders could steal computers, particularly laptops, for this purpose. Businesses should monitor access to their property to cut down on such incidents and require employees to lock away their laptops when not in use.
Electronic Security Breach : Another form of breach is an electronic security breach, wherein the intruder gets into a business' systems to access sensitive data. The intruder gains such access by taking advantage of any weaknesses in the systems, such as inadequate firewall protection. This could also happen if the organization does not have adequate password protection for sensitive data. This sort of security breach is one reason businesses should perform constant security updates.
Data Capture Security Breach : Data capture, or skimming, is a practice whereby the intruder captures and records the data on a magnetic card stripe, such as on a credit card. This form of security breach helps the intruder produce copies of credit and debit cards. The intruder could either be an employee of a merchant who handles the customer's card, or it could be an external intruder. An external intruder could attach a device to card readers or ATM machines to skim information.
Business Response : Businesses should be wary of security breaches. Best practices for businesses to follow include having a policy in place to deal with any incidents of security breaches. They should identify what information has been compromised and decide who are the appropriate regulatory authorities to which they should report. Affected customers should also be notified.
Security and data breaches don’t favor one organization or industry over another and are taking place every day. Companies should consider the “how” of a breach as opposed to the “who” to evaluate their exposure to a similar event.
Retail operations remain a target to hackers due to the volume of information in their systems, including credit card information, confidential information for loyalty programs, and employee data. The victims of these attacks are an organization’s most valued assets: their employees and customers.
Until recently, many thought data risk was trivial compared to other threats such as theft, slip and falls, and workplace violence. But with data compromise occurring at much greater frequency, it’s one risk you don’t want to underestimate. Reputational harm stemming from a poorly managed data breach can be catastrophic.
Five myths you can’t afford to believe
1. Data theft is not a problem for me — my company is too small. Data privacy is a concern for organizations of any size. Rogue employees, data thieves, and unscrupulous business associates are looking for opportunities to take advantage of any weakness or mistake. Additionally, human error by negligent or careless staff account for a surprising number of data breaches around the country.
2. We can afford to self-insure the risk. As the economy continues to recover, companies are still closely watching discretionary spending, including certain lines of insurance coverage.
Many organizations wrongly believe that if something happens to their data, they can afford to cover the costs. According to a recent Ponemon Institute study, the average cost for a small breach of 1,000 records could easily exceed $200,000 — a sum that many companies cannot easily absorb.
Remember, the majority of funds to respond to a breach need to be liquid. Breach vendors typically look for payment before or at the time service is rendered, and payment for postage is required when the letter is mailed, not 30 days later.
3. Coverage is expensive and hard to get. This perception was true five years ago but is not true today. Competition, claims experience and a larger pool of buyers have made network security and privacy liability coverage more cost-effective and easier to obtain.
Even with the recent proliferation of retail breaches, the market remains relatively stable. Some carriers, however, are more cautious when reviewing risks with a large volume of credit card data.
4. Our general liability policy will cover us. General-liability insurance covers bodily injury and property damage as well as advertising injury and personal injury. The courts have consistently stated that data are not property because they are intangible. The perils associated with advertising injury and personal injury are very specific.
While a properly worded lawsuit could trigger coverage, the main expenses from a data-privacy event are the breach response- and notification-related costs. There is little chance of these costs being covered under a general-liability policy.
5. We have vendors who handle our sensitive information and credit card transactions; if they have a breach, it’s their problem not ours. This is not generally true. The data owner — the person or entity collecting the data — is ultimately responsible for what happens to that data.
Thus, a breach at a trusted business vendor could still lead to your obligation to provide notification and a decision whether to offer credit monitoring. Your contracts may require indemnification by your vendor, but if the breach is large enough, indemnification might not be enough to cover the costs or your vendor could file for bankruptcy.
More importantly, do you want critical correspondence to customers and/or employees handled by someone other than you?
A few steps toward peace of mind
It is essential for organizations to adopt policies and procedures addressing information security, along with a concrete, comprehensive plan for incident response. Consider these questions to create “peace of mind”:- Plan — What will you do if a potential issue is identified?
- Educate — Have you adequately educated your employees about their responsibility to protect private information?
- Access –Have you implemented standard procedures for access to and use of private data? Is access to data limited to a “need-to-know” basis?
- Contracts — Do you have procedures for managing your contracts with third parties? Do they address indemnification and insurance?
- Encrypt — Do you follow encryption standards? Do you restrict and/or encrypt data that is stored on mobile devices, including thumb drives and backup tapes? What about data at rest?
- Online – Do you have a written policy regarding the dissemination of personal information on public and social media sites?
- Financial impact — Do you have adequate reserves or an appropriate insurance policy to manage the financial impact of a breach?
- Monitor — How often do you monitor networks, websites and databases to detect potential issues?
Employers should also look for insurance partners who can help them identify financial risks and develop customized solutions to better protect their organization.
As larger organizations adopt security awareness campaigns due to requirements of various compliance regimes, training is often conducted only once a year. Organizations will be able to learn about potential security incidents faster only if their employees are well-equipped to recognize that something is amiss and react accordingly. And this will only be possible if, apart from stringent security policies, regular updates and refresher courses are in place.
No comments:
Post a Comment