1. Identify WHAT sensitive data you have within your company.
We must acknowledge our responsibility. If your business accepts sensitive data, you have a responsibility to protect that data—whether it’s “required” (by a regulation, a client, a compliance standard, etc.) or not. This is an inferred duty for any entity that stores, processes, or transmits sensitive data of any kind. We must be good stewards of the data entrusted to us.
We must know the locations of the sensitive data in our possession. This means conducting inventory of all the sensitive information your organization has. It’s not easy, and it’s not fun, but it’s an important task and one that information security professionals specialize in. It’s what each organization must do to protect the data within its control. Identify all processes where data comes into your organization, where it comes from, where it’s stored while you have it, and how it leaves the organization (including who the information goes to and whether you’re holding those parties accountable). And, of course, be sure to include in your inventory the processes where your company creates sensitive data.
Take the time to identify and catalogue sensitive data within your company. Once you have a list of the types of sensitive data and where it is stored, processed, and transmitted within the company, you can determine the threats to that data and make sure you have the controls and protections in place to help secure it.
2. Determine HOW susceptible your sensitive data is to compromise.
Examine (or implement) controls around the data stored, processed, and handled by your organization. Are the controls in place reasonable for protecting the data in question? Are there any controls you could (or should) add? What level of risk are you currently accepting? Are you okay with that?
Review your controls periodically. This generally comes in the form of an audit or assessment. An assessment can ascertain whether or not existing controls are functioning as intended, as well as whether or not they are having the desired impact on cybersecurity risk. If the controls are not functioning properly or not effectively reducing risk, change them or add additional security measures.
A penetration test can help you determine the technical vulnerability of your IT environment (and sensitive data) to compromise. This type of test helps to validate the security measures that a company may already have in place and to identify the remaining holes that could lead to data compromise.
3. Ensure company personnel understands their responsibility to protect sensitive information.
Many compromises occur because a well-meaning employee sends sensitive data via unencrypted e-mail or clicks on a link in a phishing scam. Take a few minutes this month to send a company-wide e-mail to remind employees to be vigilant when receiving unexpected messages and inquiries. Employees must be aware of the company’s policies regarding the handling of sensitive data when their job duties require them to store, process, or transmit such information. Learn more about how you can defend against social engineering.
Also, be sure that your company’s internal training includes a module on protecting sensitive data and complying with security policies. Once training has occurred, companies should periodically evaluate the effectiveness of the training by performing “social engineering tests” to assess the awareness and vigilance of personnel, and adjust training programs based on the results of the tests.
4. Address the areas that present the highest risk to the company first.
Focus on properly securing information before anything else. Do this, and compliance with cybersecurity obligations will be a natural result. The days of focusing on compliance alone will (or at least should) soon be over.
Most organizations have a limited amount of money and people resources to dedicate to information security and data protection. Before you spend a dollar of your organization’s money on security tools or products, make sure it is going to address the areas that present the highest risk to the company. That approach ensures that all money spent on security is justifiable and appropriate.
Smart companies are seeing the writing on the wall and adjusting their information security practices accordingly. Those who don’t will eventually be forced to adopt more stringent practices, one way or another. Whether that change is the result of fines, fallout, or new regulation remains to be seen.
Our team at LBMC Information Security can help you move from a posture of merely maintaining compliance to being an industry leader in responsibly and securely managing data. Contact us today to learn more!