Do you have these six security best practices in place?
Information security firm ID Experts recently asked several thought leaders, which included attorneys, insurance executives and security professionals, to share their best practices on preparing for and responding to a data breach. Here is what they want you to know.
Identify risk and prioritize risk mitigation strategies
Ted Augustinos, a partner at the law firm Locke Lord, preaches continuous improvement in risk awareness and preparedness. “If breach risk mitigation has yet to be considered, management should organize a thoughtful discussion involving senior internal decision-makers and experienced outside legal and technical resources about assessing risk and prioritizing risk mitigation activities.”
Reduce breach risk with an incident response plan
Have an updated and tested incident response plan that is documented and communicated to all accountable for managing a response, counsels Dave Molitano, senior vice president at OneBeacon Technology Insurance. “In addition, the proper resources should be identified and readily available. When a breach strikes, follow the plan and listen to those who are there to assist you.”
Protect information assets with smart security
Smart security means using best practices, says Rick Kam, president at ID Experts and Sean Hoar, a partner in the Davis Wright Tremaine law firm. These include factoring security into decision-making at every department and level of the organization, avoiding collection of non-essential data and keeping only information with a legitimate business need, and using it only when required. Kam and Hoar also strongly recommend adoption of 12 critical security controls recommended by the Center for Internet Security.
Get the right cyber insurance
Few organizations can handle the costs of a breach on their own, says Kimberly Holmes, cyber liability counsel at ID Experts. “It could be characterized as penny-wise and pound-foolish not to have some form of standalone cyber insurance in place in addition to other investments by the organization in IT security measures.”
Look beyond breach notification
The response to a breach should not be limited to notification; focus also is needed on containment, corrective action and preparing for regulatory investigations and potential litigation, warns Adam Green, a partner at Davis Wright Tremaine. “Too often, organizations are focused on the immediate response. They need to consider future consequences of the breach such as what might happen in a court of law.”
Put customers first
With individuals affected by a breach worried about identity theft, organizations that provide timely and precise information and help individuals in resolving their personal issues often find the organization’s reputation, enforcement profile and litigation are affected less severely than those with responses inadequate or late, says attorney Augustinos of Locke Lord.