Presidential Proposals and Good Governance
Recently, the President proposed several pieces of legislation meant to increase cyber security and prevent cyber-crime.These new proposals aim to expand federal data protection requirements, currently only applied to healthcare organizations, financial institutions and federal agencies, to all industries nationwide.
Many states already require organizations to protect sensitive data. As of January 2015, data breach notification laws are on the books in 46 states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam. Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada have also passed laws requiring businesses to implement and maintain security measures to prevent the personal information of state residents from being compromised.
Among the President’s proposals is a federal law that would require all companies to notify consumers within 30 days any time personal data has been exposed. Also endorsed is a consumer privacy “bill of rights” governing how that consumer data would be held and used by companies. Whether these measures will progress in the near future in a Congress not known for often moving with haste remains to be seen. But having the right tools in place to determine when a breach has occurred and knowing what data you hold, and where, is simply good governance and something every company should practice in a business climate replete with cyber-attacks.
Here are some simple steps organizations of any size can take to prepare and prevent a data breach, secure data quickly, and document essential intelligence along the way:
Build a business critical data protection program/flow model. This helps to ensure that those who have legitimate access to the data are handling the information in the manner proscribed by the business. This doesn’t need to be complex, but do be aware of which servers, document repositories, and cloud applications process critical data.
Prioritize personally identifiable data and utilize the legal principal of due care* in designing defenses for the data entrusted to them.
Ensure these assets are known to your IT and security staffs, so if something moves or changes you know.
Install anti-malware, Data Loss Protection (DLP) and network monitoring on these assets. DLP helps ensure that those who may fraudulently access data are unable to exfiltrate it.
Monitor your industry for other breaches; if another vendor is hit, you could be next.
Test backup processes; after an asset is compromised, when systems need to be taken down and restored, is not the time you want to find out whether your backup process are operating as expected.
And just in case, have a plan for a data breach:
Have a call tree and test it; include IT, legal and public relations as well as the c-suite and other key executives.
If you’re an enterprise with a large client or consumer customer base, you may need to set up a call center in order to handle the inbound call volume that often results from a data breach. Have potential vendors under contract so call centers can be up and running within 24 to 48 hours of the public’s notification.
Evaluate your cyber insurance. Do you have it and is it enough?
While there is no such thing as perfect security, it’s critical to have best practices in place to protect and monitor your critical data. Ensuring you’re taking the necessary precautions now, prevents a mad scramble getting up to speed later should new legislation, or an unexpected breach, require it.
For more information on Websense products designed to help safeguard your networks and data, click here.
*Due care- effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account