The legendary Green Bay Packers coach Vince Lombardi was famous for his "Gentlemen, this is a football" speech at the beginning of each season. This return to fundamentals served his team well over the years--they won five NFL championships, including two Super Bowls.
Businesses need the same back-to-basics approach when managing security risks to their data. This may seem counter-intuitive given the sophisticated nature of threats surrounding us -- nations are hacking nations and corporations are hacking corporations. Data breaches are everywhere as evidenced by the numerous financial and retail breaches that have occurred over the past two years and security experts predict a similar trend for healthcare in 2015.
Regulators are seeking assurance that proper security controls are in place both inside an organization and among its vendors. For instance, the Office of the Comptroller of Currency (OCC) in their bulletin OCC 2013-29 have told the financial institution boards of directors that they are responsible for identifying critical vendors and validating their data protection measures. It comes down to this: either companies will police themselves and their vendors, or the regulators will swoop in and do it for them.
Getting Back to Basics
Despite advancing threats and regulatory scrutiny, we need to return to what football coaches would refer to as "basic blocking and tackling" -- in the data security world, this means instituting time-tested privacy and security practices that, if applied correctly, will work today and into the future. Here are my four favorite basic blocking and tackling techniques that will serve any organization well:
1. Identify everyone in your organization who has access to your data. Yes -- everyone. Since departments continuously share data you have to assume anybody has or can obtain access to data at any point. The reality is that most breaches happen inside an organization. This could be by an unhappy or financially strapped employee looking to sell data on the dark net (i.e., the black market) or someone who has changed roles within the organization and their previous access has not been removed. These users and their roles should be reevaluated and approved periodically by appropriate management. Employees should be continuously educated on what they are to do if they find themselves accessing data that is not part of their job description and understand there may be consequences for inappropriate access. Be sure to perform reviews for all data regardless of what type of data it is.
2. Know where your data is and how it is accessed. It's easy do this exercise if all processing and storage is done in-house, but this is rarely the case. I've encountered many companies of various sizes who truly can't account for all of the locations their data may reside and how it is accessed. Third parties play a role in this dilemma as the location of the data (e.g., backups, redundant sites, Cloud, etc.,) and how it is accessed (say, support from personnel working from their home instead of a secured facility)may change without the third party notifying your organization.
3. Ensure your vendors secure your data with equal or better security than your own. Most small and many mid-size vendors still lack appropriate levels of security across their enterprise. While a case can be argued as to why this is so, it certainly doesn't leave you off the hook. Outsourcing a task does not mean outsourcing the risk. With this being the case you need to validate their controls by having an assessment performed by qualified personnel. Furthermore, at least annually, perform analysis as to the scope of work being performed by the vendor and evaluate if the data elements provided are truly required for their tasks (for example, does the vendor really need access to your customer's social security data).
4. Utilize data encryption whenever you can. Data -- especially sensitive data -- should always be encrypted wherever it is stored. Furthermore, sensitive data should never be unencrypted on portable devices (and yes -- that means laptops too). A good rule of thumb for reference on encryption and portable drives is the state regulation Massachusetts State law 201 CMR17.00 entitled "Standards for the Protection of Personal Information of Resident of the Commonwealth 201 (more commonly known as "Mass201" or "CMR17" in data privacy circles) which directs data to be encrypted on any portable device. While it may be costly for you and your vendors to do so, the cost of not encrypting data, either through lost business, fines from regulators, or anticipated class-action lawsuits, could be much higher. Remember, regulators claim their right to investigate your third parties, even if they themselves are not in a regulated industry.
Share your game plan with your management
Given today's threat-filled landscape, no data is ever 100 percent secure. But by getting back to "basic blocking and tackling" by implementing simple or even mid-level controls, you can minimize and even mitigate a high percentage of the chances and affects of a breach. Taking such steps consistently, and monitoring your results, will further prove to your executive management, the board of directors, and to regulators, that you are in lock-step with your organization's security objectives and will give you additional leverage to focus and tackle more complex initiatives such as addressing your cybersecurity risks.