Q/A: What data security strategies should your business consider implementing today to protect it in the future?

July 8, 2016 | SOS: Business risks that aren't on your radar but should be Matthew McKinney, Brownwinick Law Firm, mckinney@brownwinick.com

Q. What data security strategies should your business consider implementing today to protect it in the future?

 A. Open your industry’s latest trade publication, attend a business conference or simply scan the news, and data security will undoubtedly be discussed. While your industry is certainly discussing the issue, is your business’s leadership team similarly discussing data breaches and properly preparing for what FBI Director James Comey recently stated is not an “if” for businesses, but a “when”?

Here are three items your business can immediately consider for purposes of being prepared:

Knowledge is Power; Understand Your Risks. You cannot protect what you do not know. Consequently, it is critical for businesses to take time and fully understand their digital footprint. Carefully assess digital assets, where they reside, who has access, how access is (or isn’t) restricted, the various degrees of data sensitivity, and what virtual and physical protections are in place to protect the data. For instance, because a server with remote access can present an easier target for hackers, is it vital for your business that all sensitive information remain on a remote-access-enabled server?

Conversely, could your business still operate (and significantly reduce its risks) by placing top-level, highly sensitive information on a secure server that is not susceptible to the risks of remote access?

Employees Are Your First Line of Defense. Hackers are increasingly targeting human weaknesses and vulnerabilities, rather than patchable weakness in a company’s IT infrastructure. Specifically, through a deceptive practice known as “phishing,” today’s sophisticated hackers aim to prey on employees who may easily, unknowingly and voluntarily give up keys to your business’s castle by merely clicking a link, downloading a file or opening an email attachment.

Notably, today’s phishing attempts are no longer blatantly obvious (being sent by the “Prince of Nigeria”). Rather, they are carefully crafted communications aimed at deceiving the recipient and gaining access to a company’s sensitive information. To the untrained eye, today’s phishing attempts often appear to come from your business’s IT team (directing a trusting employee to download a required “patch”) or from the leadership team (directing an employee to open, complete and return a “form” contained in an attachment).

The “patch” and “form,” however, are not as described, but rather, malicious code that can compromise even the most advanced infrastructures. These sophisticated attacks can trick nearly anyone in an organization. However, with proper and ongoing training, employees can identify phishing attempts and quickly become a strong defense in the daily fight against unauthorized access (internal and external) to digital assets.

Develop an Incident Response Plan. Emergencies never occur at convenient times. As such, if a breach occurs, it is critical that your business have an incident response plan in place to ensure an orderly and timely response. For instance, if a data breach occurs over a weekend, does IT have appropriate contact details and a call tree to follow? Who will your business rely on for: (1) technical expertise in stopping the breach, investigating the scope of the attack and patching the vulnerability, all while preserving records and other evidence; and (2) legal expertise in complying with state and federal notification and related requirements, including requirements specific to your industry?

A properly prepared incident response plan will include each of these items along with numerous others. Put another way, just as when your business is forced to respond to a fire or flood, time is always of the essence in a data breach, and a carefully prepared incident response plan can ensure you’ll be prepared to respond in a timely and orderly manner.