High-profile breaches have thrust security and risk into the spotlight. Despite this, many organizations are failing to prioritize risks and take a proactive approach to information governance, ensuring that sensitive data is identified, classified and remediated. According to the 2015 Data Breach Investigations Report, 99.9 percent of exploited vulnerabilities were compromised more than a year after they were published.
Risk was top of mind for panelists in our Super Session at Legaltech New York. “Time is Not on Your Side When it Comes to Data Security” was moderated by Chris Dale and featured Adam Isles, principal at the Chertoff Group; Ed McAndrew, partner at Ballard Spahr; and Scott Carlson, partner at Seyfarth Shaw.
There’s been a tendency to segment risk with various departments shouldering the responsibility, Scott noted. For instance, companies have grappled with the issue of whether risk is - an IT issue or business operations’ responsibility.
“It’s one thing for the CISO to understand risk, but everyone needs to understand risk,” he said. Engaging business leaders in discussions about cybersecurity and risk is a critical component in identifying key assets such as intellectual property that need to be safeguarded. “The private sector is in the crosshairs,” Ed said. “Threats are constantly evolving.”
He went on to note that data is also in numerous locations and that the aggregation and collection of data is also constantly transforming. The regulatory landscape is also more complex. When he was working as an Assistant U.S. Attorney specializing in cybercrime, Ed said, the businesses with whom he interacted ranged in terms of preparedness for a cyber incident. Too many times, they were starting from a place of crisis when it came to incident response.
Best practices for minimizing future risk and making sure your organization is better equipped to deal with a cyber incident include:
- Identify your key assets;
- Assess threat, vulnerability and consequences of compromised data;
- Implement key policies and standards;
- Conduct audits and penetration;
- Participate in incident response activities.
Adam recommended that organizations hold tabletop discussions running through various cyber threat scenarios. Such drills can help organizations address potential issues before an incident or attack occurs.
Scott also recommended determining an organization’s obligations before a breach. For instance, there is no uniform data breach notification law in the United States. Companies should become familiar themselves with what their state requires and what triggers breach notification requirements.
If an organization is breached it should resist the urge to hack back or use compromised systems to communicate. In some instances, hackers have remained in the infected system and monitored communications after a breach was detected.
By reducing the surface area of risk, organizations can significantly mitigating potential damage from breaches and improve their ability to comply with global data protection mandates.
Learn more about EnForce Risk Manager, the only automated solution to proactively identify, categorize, and remediate sensitive data on our website and sign up for the latest updates.