Unfortunately no organisation is immune to data breaches nowadays. But there are some things that you can do to minimise risks. Here are 11 Key Steps You Should Take to Avoid a Data Breach:
Fail to prepare, prepare to fail, but not if you follow our 15-step best practice data breach crisis plan.
#1. Analyse your organisation’s data breach risks
Analyse your organisation’s data breach risks by completing a risk analysis. This might seem obvious, but you would be surprised how few organisations actually undertake a complete and thorough risk assessment organisation wide when it comes to their data.
Those organisations that do undertake a full data breach risk assessment may not make this part of their continuous business process, meaning that new risks are not addressed.
If you are a small organisation of course you can undertake a risk assessment yourself, however, you should ensure it stands up to the rigor of a compliance review for your specific industry. Seek at least some specialist advice from experts with the specific knowledge to help you build your ongoing risk assessment process is a great investment.Analyse your organisation's data breach risks by completing a risk analysis. Click To Tweet
Recommended reading: 5 Key Steps to Take if a Data Breach Occurs
#2. Educate your staff
Yes, you guessed it. The number one cause of all data breaches globally come from human mistakes, negligence or ignorance. You will see numbers thrown around of between 90 and 95% of all breaches occur this way, either way these sorts of figures will make you sit up and listen. This makes training your staff on the handling data critical to the security of your organisation’s data.
The best data security infrastructure in the world is rendered useless if you have not trained each staff member appropriately. The education of your staff should be incorporated into your organisation’s onboarding process and continued through a continuous education program bringing staff up to speed on the latest risks, for example, phishing and malware attacks they may receive through their email.
By educating your staff and really infusing data breach awareness into each and every staff member you will have taken a big step forward in avoiding a data breach.
#3. Increased staff care of devices
It will vary by organisation, but all organisations use devices that access, modify, capture or store electronic data of different types. A review should be undertaken of such devices and IT will have responsibility for providing best practice device security practices to these devices.
You would be surprised how many laptops, usb thumb drives or other portable electronic devices are stolen or even more frequently lost when staff are in transit.
Educate staff on device usage policies and guidelines, on the repercussions of losing such devices and what to do when such a lose occurs. A culture where staff can come forward in such a case is essential to the ongoing digital health of your organisation.
Recommended reading: 6 Mistakes Not to Make if a Data Breach Occurs
#4. Access management
Take access management seriously. If you implement access management rules seriously you can limit the exposure or risk to your data. Not every team or staff member in your organisation will have the same data requirements, so why give everyone the same access level?
As an example, your marketing team will not require access to the same data as the finance team. Implement good granular access management rules and you will limit the chances of a data breach.
#5. Secure your network properly
Here are some of the questions you need to ask when you are reviewing your organization’s specific network risks
- Does your office have a reception area?
- Can a visitor unplug the data port your display that is showing your companies product or service information to visitors and instead plug their device in to access your network?
- Is your guest network on a designated subnet safe from your organisation’s key data?
- Do you hide your wireless network’s SSID (name) from scanning devices and only inform guests of the names when required?
Limit visitor access to data or server rooms to essential network IT staff only and add protections to your network endpoints using network management best practices.
Maintain an entry log for all accesses with reasoning details.
Ensure a complex password policy that means your staff need to change their password periodically.
Yes, it’s a hassle but a data breach is a lot worse than a bit of hassle.
#6. Encrypt data at rest
If somehow an attacker does gain access to your data you are further protected if your organisation has a centrally managed encryption technology for your organisation’s data ensuring that all your data is encrypted at rest.
If you have any devices accessing this data remotely you will need to ensure your data that is in transit from your central data management centre to your devices is also encrypted over a secure transport connection.
#7. Ensure there’s encryption on your hardware devices and leverage remote wipe technology
You need to do more than just encrypt your data stored on your servers. Look at encrypting any data on laptops or other devices, after all if a staff member does lose a laptop or have it stolen there will be a lower risk of a data breach if the laptop’s data is also encrypted and you should also have remote wipe technology in place if the device does come online. The key is to secure not just your servers but also your end points.
Recommended reading: Data Encryption Explained
#8. Have a solid Bring Your Own Device (BYOD) policy
A solid BYOD policy is important in any organisation. Ensure no data is stored on these BYOD devices locally and ensure strong authentication methods are in place for any data views from these devices, should they end up in the hands of an attacker.
Insist on installing remote wipe software on these BYOD devices if they are to connect to your corporate network.
#9. If you use cloud review your agreements with your providers
More organisations are turning to the cloud providers to scale their digital capabilities. Wonderful, you have now scaled! Hang on, have you checked your service level agreements recently? Ensure that it is explicitly states that you and not your provider own the data stored.
Review their security technologies and procedures. Verify their backup and disaster recovery capabilities. Implement a disaster recovery test area, so you can actually recovery data at speed in the event of data loss.
Recommended reading: Private Cloud vs Public Cloud Explained
#10. Include business managers in your data breach processes
Ensure your organisation has a top down mandate to task all business managers to actively take part in preventing data breaches. Managers should be responsible and part of the process of the continued education of the various business unit teams.
It is all too easy to leave it to IT to provide the great technology that prevents this but in a time where the biggest risk is your own people it’s key that each people manager in your organisation has a responsibility included as a key performance indicator and that their performance is reviewed on an ongoing basis against your data risk mitigation goals.
This will be key when business unit managers have sub contractors working on projects and where IT may not always have full visibility of the specific role tasks.
#11. Talk to Legal and have a plan
When data breaches occur you end up with lawyers in the room, so why not discuss the topic of a data breach and your preparedness with your in-house counsel or your contracted legal firm before it happens.
Have a clear plan of action to handle a data breach and this should extend not just to your technical teams handing the breach, but also to your legal, PR and marketing teams. If there is a data breach then you will have your data breach action plan to follow.
Remember, data breaches have happened even to the most prepared organisations. Your goal should be to mitigate the risks.
Ready to give Rinodrive a go? Signing up for a free trial is just
Over to you now. Is your organisation prepared for a data breach? Tell us your thoughts in the comments below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).