Data loss is a critical business issue today. Businesses face regulatory fines, loss of customer confidence and even irreparable damage to brand reputation in the face of data loss. Yet, it is often difficult for executive management to make clear decisions about protecting information under their care and control. Why? In order to prioritize budgets and then build public trust and confidence in a data security program, an organization must first have such a program.
Even though your company may have implemented sound security controls, most IT professionals are not focused on measuring their effectiveness. Their priority is on collecting, storing and using data, rather than demonstrating compliance with regulations and focusing on the best practices to protect it. Too often the status quo is to simply implement an external firewall to keep outsiders away, and to place antivirus software on end-user computers. However, every company should have personnel who can adapt security controls and practices to protect data, especially in light of the new threats from professional and even state-sponsored attackers.
Fortunately, many organizations have the building blocks of solid data protection practices. The initial test is to ask three simple questions:
- Is there one person in the company responsible for the security and privacy of business sensitive data, employee information and
your customer’s personal data?
- Does this person provide periodic reports and metrics to executives so they can tell whether or not the company is doing a good job
- Does the company have a written policy and documented procedures for data security and privacy under your care and control?
A Point Person
Absent someone who owns the data protection role along with responsibility for security and privacy, this area is often relegated to a part-time responsibility or even an afterthought. However, even the Securities & Exchange Commission (SEC) now requires auditors to disclose security events affecting your company, as it can affect your valuation among other issues. Shoddy data protection practices leading to a security incident qualify as such an event.
The Right Procedures
Disciplined reporting procedures create the opportunity to make sound business decisions regarding data protection. Without a dedicated resource managing company security, it is unlikely your organization will be in a position to collect meaningful metrics with regard to data protection. This means your organization cannot reassure its stakeholders that data protection is under control and will be unable to provide guidance on an SEC topic requiring disclosure. Further, in the event of a significant security event, it is likely you will have access to only a minimal amount of information, with no basis for comparison.
A Documented Policy
Most mature security programs have a rigorous documentation component. And with the anticipated arrival of legislation and additional regulatory enforcement, a documented policy will be required for security and privacy, as well as training and procedures for staff to implement the policy. For example, what is your company’s policy for connectivity of mobile devices, both personal and those owned by the business? A lack of policies like these means that an organization will likely fail a certification test and be unable to purchase cyber insurance.
Companies that can answer yes to the previous three questions are in a unique minority for now, but not for long. Next-level issues such as adequate budgets for data protection and building a resilient IT architecture are prompting more and more organizations to assess their program's maturity. A well-defined data protection plan is an important first step in the never-ending journey that is cyber security.
Marc conducts investigations in the areas of the Foreign Corrupt Practices Act (FCPA), financial reporting, anti-money laundering, ethics and integrity, and government investigations. He specializes in financial fraud, white collar investigations and dispute damages.