Steal This Data

Taking steps to protect personal information in your files and on your computer can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why it’s important for companies have an incident response plan in place to deal with to security incidents before they occur. Putting together a “What if?” action strategy now may help reduce the impact an information breach can have on your business, your employees, and your customers.

Here are some tips about customizing your company’s incident response plan.

• Senior management sets the tone for any organization’s commitment to data security. That’s why drafting, coordinating, and implementing your company’s response plan isn’t a job for a newcomer. Designate a well-respected senior executive to head up your response team. Select someone with a reputation for working well with every part of your operation — sales, financial, personnel, information technology.
• Once you’ve put together your response team, have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a root kit attack, to name just two — are unfortunate, but foreseeable.
• Experience sharpens intuition. If your staff suspects a breach, investigate it immediately.
• If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Investigate if intruders opened files or placed new programs on your computer. Did they release viruses or other malware? By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
• Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.

Most businesses accumulate massive amounts of sensitive information, and like many of us at home, we never get around to throwing out the stuff we don’t need anymore. But times have changed. In an age of security breaches and identity thieves, holding on to sensitive business or customer information longer than necessary can significantly increase your information security risks.

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

Every company, no matter how big or small, should have a data classification scheme that defines the level of protection required for all company documents, customer, and partner information.  This classification scheme is a fundamental component to information security and should cover both digital and non-digital data assets, such as contracts, invoices, copies of checks, incoming faxes, etc. In a hardware store, for example, a data classification scheme would identify the sensitivity of every piece of data in the store, from customer account information to supplier delivery receipts.

Most businesses adopt a data classification scheme that categorizes information along the following four dimensions:

• Company confidential
• Private
• Sensitive
• Public

A simple scheme like this facilitates improved data security because it clearly identifies and communicates the levels of confidentiality required for all data and the people who should have access to it. For example, a presentation or patent application that is labeled “Company Confidential” is clearly not meant to be distributed outside of a company.

Good data classification schemes should also include a time element that lets data change it’s classification after a specified interval and an owner, who is responsible for maintaining and protecting a specified data type or source.

Neglecting to implement adequate security controls for sensitive information can lead to increased corporate liability and regulatory censure. Without a data classification scheme, a company may treat all information the same, greatly increasing the chance of accidental disclosure or security breaches.

Writing a data classification scheme is not that difficult and I’ve supplied a sample template below that can help you jump start the process. Getting it implemented however, may require a substantial degree of organizational change, so it is best to get the buy-in of senior management before you start that process.

A Data Classification Policy Template