Breaches Can Happen, Even if You Do Everything Right
Let’s take a trip down memory lane and revisit some of the most noted data breaches in 2021; Socialarks, Microsoft, Twitch, ParkMobile, Reverb, Colonial Pipeline, Android, Volkswagen & Audi, LinkedIn, T-Mobile, and Neiman Marcus Group, to name just a few. Do you think that these major corporations did what they could have done to avoid the data breach? It is always hard to say because when it comes to data there are so many “hands in the pot”.
The more information you collect, transfer, and save, the more risk you take on. Although some data is regulated such as Personal Information (PI), Healthcare information (HIPAA), and Financial Information (GLBA), a public data breach, regardless of the type of data lost, can negatively impact an organization. It is hard to say if these large company did everything right, but you can say they are doing something and that something is likely quite substantial.
For every large breach we read about, there are thousands of breaches occurring to smaller businesses. Just because they are not making headlines doesn’t mean they are not impactful. For those companies their survival is at stake. So how does a small to medium size business navigate the every changing threat landscape? Smaller organizations cannot afford the multi-million dollars some of these enterprises are spending. My recommendation is to tackle what is “reasonable”. I use the word “reasonable” because that is what regulators are looking for. A “reasonable” privacy and security program. What does that mean? That is very hard to answer correctly, but what I can say is that it doesn’t mean not doing anything.
A small to medium size business can implement a privacy and security program that focuses on avoiding being the easy target. 90% of breaches are avoidable! You have heard, “Don’t walk by yourself at night.”? The same goes for protecting your data. Create a privacy and security program that focuses on policies and procedures (we all them administrative controls in the audit world) and ensure they are being followed; scanning your publicly accessible devices and assets like your firewalls and websites; and a vendor management program to mitigate your risk of a third party losing your data.
A recent breach of a hospital shows that even if you do everything right you cannot always control the situation. In this example, an employee with access to their systems viewed patient data that they has no reason to view. Some may say, they should not have been given the access, but there is fine line between too much and not enough access. With administrative controls, technical controls and monitoring in place, it does not guarantee that a breach will not occur. But layering on these controls and monitoring allow the hospital to perform the investigation and provide evidence of the action. Could there have been more? Yes, notification alerts could have been in place when there was excessive use of a system, use of a system outside of defined hours, etc. Although these may not have stopped the breach from occurring it may have identified it sooner.
Businesses need to look at what is a reasonable privacy and security program.