Posted 8.12.13
by wpadmin
Blog

Avoiding Business Disruptions Caused by Data Breaches

A recent study by the Ponemon Institute and Experian Data Breach Resolution reveals that 45 percent of organizations reported having suffered a data breach or security exploit over the past 2 years as a result of negligence or mistakes causing the loss of confidential business information. Thirty-four percent experienced a disruption in business operations, and 24 percent were victims of misuse or theft of confidential business information (i.e., intellectual properties).

2013 Data Breaches

2013 Data Breaches; Source: Ponemon Institute

Last year I wrote the article, Michigan Cyber Initiative Reports ‘People’ as Weakest Link in IT Security, citing the Michigan.gov’s cybersecurity advice about Personnel Security Controls – “People are the key ingredient to a successful organization, but people can be the weakest link for security of the environment.”

Countless data breaches can be attributed to human error, including sloppy IT security practices, like the recent healthcare data breach caused by a health IT vendor that had their firewall turned off for a month, allowing Google to index private data ( read PHI Indexed on Google? Reaffirming the Need for Business Associate HIPAA Compliance for the whole story).

Mistakes happen, but risk mitigation can start with preventionary tactics such as updated and consistent staff security training. Appointing a Risk Management and Security Officer to conduct training on simple policies to ensure physical and network safety can protect business data.

According to a Ponemon Institute report, The Human Factor in Data Protection, examples of employee behavior that put companies at risk include connecting to the Internet via an insecure wireless network; using personal mobile devices connected to their organization’s network; using generic, unencrypted USB drives and others.

The security of your organization also extends to the security practices put in place by your contracted vendors (business associates in the case of healthcare). For data center provider/hosting practices, a few physical security precautions include:

  • Two-factor authentication – Anyone in the data center should be wearing a badge to identify them and need at least two forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge.
  • Prolific use of video surveillance – Ask to see the video logs and how long they are kept (should be at least 90 days).
  • Visitor logging – The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor’s company to confirm their credibility.
  • Procedure Documentation – Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or email.

Other technical security tools that can be employed on computer networks to protect web applications and data include file integrity monitoring (FIM), web application firewalls (WAF), daily log review, vulnerability scanning, encryption and more.

Find out other ways to avoid a data breach in:
Ensuring Cloud Vendor Security Transparency in the Age of Data Breaches
Gartner recently released recommendations for gaining transparency into cloud software as a service (SaaS) contracts – including emphasis on annual security audits and certification by a third party to verify a cloud vendor’s operating/product security. Gartner also recommends that contracts … Continue reading →

HIPAA Violations Cost Health Insurer $1.7 Million: Lessons Learned
Reuter’s reports that WellPoint, Inc., the second largest U.S. health insurer, has reached a $1.7 million settlement with the Dept. of Health and Human Services as result of a data breach that exposed over 600k health records. WellPoint’s online database … Continue reading →

Disabled Firewalls, Lack of Log Monitoring & Risk Analysis Lead to HIPAA Data Breach
The latest HIPAA data breach case resulting in Dept. of Health and Human Services fines involves disabled server firewall protections that left the ePHI (electronic protected health information) of 17,500 patients vulnerable for at least 10 months. According to the … Continue reading →

References:
Managing Cyber Secuirty as a Business Risk: Cyber Insurance in the Digital Age

  • This field is for validation purposes and should be left unchanged.