The theft and loss of confidential customer information is something that companies have always had to deal with. But now, in the information age, when data has become mission-critical and cyberattacks are ever-more sophisticated, the 24-hour news cycle has brought data breaches to the forefront of public consciousness.
Never before was that more obviously than in 2011, when many high-profile data security events made headlines and had consumers around the world paying more attention to the protection of their sensitive information.
"The fact is breaches happen and often at the worst of times," stated a recent release from the Online Trust Alliance (OTA), an industry standards group. "Rather than be lulled into the belief it will not happen to your business, a well-designed plan is emerging as an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse."
Those comments accompanied the organization's latest report, the 2012 Data Protection & Breach Readiness Guide. In addition to taking a closer look at recent incidents, the report also outlines best practices for organizations to follow in order to prevent and protect against a breach's harmful effects.
In the fall, the Ponemon Institute released its own report detailing the financial losses and brand value damages a company can expect following a data breach. Depending on the scope of the incident and the type of information breached, Ponemon researchers said, an organization valued at $1.5 billion can expect to lose between $184 million and $330 million in brand value.
Those figures equate to a loss of between 12 percent and 25 percent of brand value for companies and incidents analyzed.
"The loss or theft of sensitive customer data, as our study quantifies, can have a serious impact on the economic value of a company's reputation," said Larry Ponemon, the founder of the analysis firm.
According to the OTA's report, there were about 560 reported data breaches in 2011 that cost U.S. companies a total of $6.5 billion. Half of those incidents were caused by network intruders exploiting vulnerabilities in company servers. Many of these events could have been avoided by following the guidelines spelled out in its report, the OTA said.
Within the 2012 Data Protection & Breach Readiness Guide, the organization said that dealing with an incident effectively centers on three main areas: data governance and loss prevention; incident response planning and training, testing and budget.
"The purpose of this guide is to provide prescribe guidelines that help businesses to proactively develop a plan to minimize data collection, enhance data protection and to create a customer-centric incident response plan," the report stated.
The process for data governance and loss prevention begins with knowing what types of information the company has produced and stored, according to the OTA. By implementing measures at the data level, such as classification and loss prevention technologies, it's assured that protection remains with the information at all times.
That phase is critical if a company is to avoid suffering a data breach. But should one occur, the organization will need a response plan and strategy in place to minimize the damage.
For this aspect of the process, the OTA said a response team is required. These employees should be identified ahead of time and have the knowledge and abilities needed to deal with a breach. They should also come from numerous areas of the business, since all will be affected. The team should play a central role in drafting and communicating a response, determining the organization's notification requirements and carrying out the entire process.
Finally, as another central part of preventing a breach, the company must ensure that appropriate employee training, data security testing and budgets are in place.
If actual data protection measures are the first line of defense for a company, employees are a close second. An organization can't hope to safeguard mission-critical information if employees aren't at least somewhat knowledgeable on the subject.
And practice makes perfect, of course. The OTA said companies should test all aspects of their data protection programs – from loss prevention and security all the way to how they would handle a response – on a regular basis. Doing so could make a big difference in terms of the extent of damage done by an actual incident.
The Data Loss Database is an online reference that tracks and analyzes reported data breaches. Already this year there have been a handful of incidents that have exposed nearly 2 million records. A large chunk of that, about 1.8 million, were breached during an event suffered by the New York State Electric & Gas and Rochester Gas and Electric utilities.
The State of New York Public Commission responded by apologizing for the event and declaring that no evidence of misuse had been reported as of a week following the incident.
Data Security News from SimplySecurity.com by Trend Micro