Did your company celebrate data privacy day yesterday? Most did not and that's a shame.
Why? Because Data Privacy Day, a six year old observance created by the National Cyber Security Alliance (NCSA) is an international effort to educate people on how to protect their privacy and control their digital footprint. And if your employees begin to view data protection as a vital task that matters to them personally, they'll do a better job of helping you protect company data.
"That may seem like a somewhat cynical view, but the reality is that many data breaches happen because employees get so caught up in short-term goals like accomplishing a specific task " say printing changes to a report before a big meeting " that they lose track of the fact that their behavior could be endangering valuable company data," explains Jared Hansen, CEO and founder of secure mobile printing leader Breezy. "Data Privacy Day reminds them that we are all stewards of personal and company data, and that is a huge step toward recruiting them as partners in your attempts to avoid a data breach."
In honor of Data Privacy Day, the International Association of Privacy Professionals (IAPP) offered these tips that companies should consider when planning for data security. While they may be common practice in your IT organization, it's a good idea to review them to make sure you've got your bases covered, Hansen says.
Know Thy Data. Determine what data you collect and share. Classify it according to how critical it is, and how sensitive the data is. What could be considered personally identifiable information (PII)" Define whether data is "in use," "in motion" or "at rest." Know where the data is physically stored.
You Don't Know What You've Got Till It's Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that's no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it's fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
Practice or You'll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you've implemented leading security best practices, and provided training to your entire staff " not just IT " on how to spot them. Don't forget to practice your response plan, including mobilizing the legal, regulatory, and public relations teams you'll need in the event of a breach.
Create Safe BYOD Policies. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. Unprotected user-owned devices can easily pass malware and viruses onto company platforms. Hansen says it's vital to develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, install a proven EMM solution that includes secure mobile printing, and develop procedures for employee loss notification.
Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
Forensics? Don't Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it's easy to accidentally modify or disrupt the chain of custody.
Where are the Logs" Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they're protected.
Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish "first responders" available 24/7 (hackers don't work a 9 to 5 schedule).
Get Friendly With Law Enforcement & Regulators. Reach out to law enforcement and regulators _prior _to an incident. Know who to contact so you won't have to introduce yourself in the "heat of the battle." When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don't inflame the situation by becoming defensive; focus on what you're doing to help affected parties.
Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company's reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
As shown by the recent data breaches that have hit Target, Neiman Marcus, Home Depot, Michaels, Sony, and Barnes & Noble, most IT professionals have accepted the idea that it isn't a question of whether or not they'll someday suffer a data breach, but when the breach will happen, and how they will respond. There's no question that a data breach is a crisis situation for any company. But something as simple as an annual "Data Privacy Day" training program for employees can go a long way toward mitigating the damage a breach can do to your company's reputation.
That's because you need to be seen to be prepared, not just be prepared, Hansen says. "Your employees are the human firewall that can do the most to help you protect data. After a breach, if you can demonstrate that you've taken every possible step to protect data " including training and recruiting your employees to help " it can go a long way with regulators and the press when it comes to managing the damage to your company's reputation," the Breezy CEO says. Hansen, who was a practicing lawyer who founded Breezy when he was unable to find a secure mobile printing solution for his law firm, says that how your employees talk about a data breach matters a lot after such a breach.
"You definitely want to be able to show that you were prepared, you deployed all of the training, technology, and monitoring tools available to you, and you are doing everything in your power to protect data before and after the breach," he says.
How do you protect data after a breach? If the data was encrypted, the thief who gets it has much less valuable data than one who gets unencrypted data, he says. "That's why on-device encryption for mobile devices is so important."
Breezy's secure mobile printing technology is fully integrated with EMM providers like AirWatch, Citrix, Good Technology, IBM (Fiberlink's MaaS360), and MobileIron and many others, and can add an extra layer of protection to the mobile devices that connect to your network or store your data. For more information on mobile device security and secure mobile printing, watch this video from Breezy, download The Definitive Guide to Mobile Printing, a free ebook, or click here to schedule a Breezy demo now.
Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.