By now, the news has been well reported in the press. The Federal Deposit Insurance Corporation (FDIC) admitted in May that it has experienced at least five major data breaches since last Oct. 30.
While all five apparently took place when employees left the agency with thumb drives that contained sensitive data, two of the cases have been identified as extremely problematic. In one case, PII on 44,000 FDIC customers was compromised and in another case, 10,000 Social Security numbers were compromised.
Dana Simberkoff, chief compliance and risk officer for software firm AvePoint, says that these kinds of breaches are avoidable if organizations had more defined data protection policies and coordinated those efforts with every department in the organization.
“Data protection has to be everyone’s job,” Simberkoff says. “Too often, the line-of-business people just think they are there to do their jobs and make money. IT wants to service the business, the security team is focused on hackers and privacy advocates focus on compliance. They are all off doing their own functions.”
Simberkoff offers five best practices organizations can use to make data protection more of a priority:
1. Get the HR department more involved. A lot of organizations will just form a committee of top people from all the departments and let the issue slowly die. Start by getting the human resources department more involved. After all, they are the ones who will have to explain the company’s data policies to employees when they enter and exit the organization. They are also responsible for explaining any changes to the company’s data policies and will help coordinate any awareness and educational efforts.
2. Develop a clear employee exit strategy. Organizations need a plan for when employees leave voluntarily and for when the employees are asked to leave. While it’s up to the organization how much they want to supervise a fired employee, in both cases they have to have set expectations up front when the employee enters the organization so there are no misunderstandings. Think in terms of low, medium and high for access. Once an employee gives notice, it makes sense to ratchet down his or her access to classified information and give them only the information they need to do their job until they leave.
3. Create a plan for protecting corporate data. Part of the problem in the FDIC case was that the employees commingled personal and agency data. It’s getting more and more difficult for IT organizations to separate personal data from company data. However, IT departments can protect corporate data by properly doing discovery, tagging, classifying, protecting, and then auditing the data regularly. By doing this, the organization can also prepare for the EU’s General Data Protection Regulations, which go into full effect May 25, 2018. Any entity that has a European operation, even if it’s only online, must abide by these new regulations. Stiff penalties of up to 4 percent of a company’s annual revenues are at risk in a data breach.
4. Keep close tabs on the organization’s data access policies. As a general rule, employees should only have access to the data they need to do their jobs. Think of data access as low, medium and high. If the employee has been assigned to a special project where they need a higher level of access, let them have it for the duration of the project, but have a program in place that supervises and tracks their move back to the normal level of data access. Companies need a system that assigns access levels and constantly reviews the organization’s data requirements.
5. Try to limit shadow IT. Line-of-business managers resort to shadow IT when privacy and security practices by corporate IT stymies them, driving them to use SaaS services that they can easily provision, often at a lower cost. Rather than fighting the trend, corporate IT must embrace the cloud and work more closely with the line-of-business people to understand their requirements and get them the applications they need to get work done. In many cases, cloud computing offers greater security and there’s much less chance of a serious breach if IT knows what’s going on and can put the proper security controls in place during the negotiations with the cloud provider.