Five Steps to Minimizing Risk from a Data Breach

Posted on May 19, 2015

Luis A Aguilar, commissioner at the US Securities and Exchange Commission (SEC), spoke directly to CEOs and members of corporate boards, in June 2014. "Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril."

Cybersecurity has become such a big liability risk for corporations that more and more litigation is focused on holding board members and executives personally liable for failing to comply with the "ethical and fiduciary duty" to stay "reasonably informed of cybersecurity risks, and exercise appropriate oversight in the face of these now well-known risks," according to a new article in the Ethical Boardroom magazine.

What that means for enterprise IT and the managers responsible for managing mobile devices in the workplace is that more scrutiny than ever is being directed at mobile device security. Prat Agarwal, director of business development at secure mobile printing leader Breezy, says that attacks against enterprise security are inevitable " and mobile devices are a vulnerable point for many organizations.

Companies are justifiably worried about high-profile attackers like Anonymous, Agarwal says. But even if you manage not to run afoul of hackers with a political or social agenda, most companies are vulnerable to the more common variety of hacker: those who want to steal data they can hold for ransom or sell to the highest bidder. "Make no mistake: being a hacker is a lucrative business these days, and every corporation has very valuable information in its system."

Security consultancy FireEye reported that mobile devices are the Maginot Line of enterprise security. France's famed Maginot Line was a technically impressive 940-mile border defense that Germany simply bypassed with its blitzkrieg style. FireEye says that today's cyber defenses are fast becoming a relic in today's threat landscape. Organizations spend billions of dollars every year on IT security. But attackers are easily outflanking these defenses with clever, fast-moving attacks that include mobile devices.

Key findings in the company's recent report include:

Those facts, along with high-profile data breaches such as Target, Home Depot, eBay, Michaels, Sony, Anthem, and a global banking breach that cost more than 100 banks in more than 30 countries a billion dollars, are driving the trend toward holding corporate boards and executives personally liable, says Dallas attorney Shawn E. Tuma.

"The initial breach of the company's systems is not what causes the harm" it's the inability to quickly detect, mitigate and respond to it," Tuma wrote in his article in the Ethical Boardroom.

How to Prepare for the Inevitable

While the situation is difficult, it isn't hopeless, Agarwal says. "Phishing attacks, many of them via email or texts sent to mobile devices, account for the vast majority of hacker attempts to penetrate enterprises. Training, education, and a comprehensive mobile device management strategy can be among your best defenses."

That's particularly important if company executives and board members are concerned about individual liability, because the first question asked after a data breach is almost sure to be, "What did you do to prepare for a possible attack?" An answer that includes these five steps may be the best way to head off problems " legally, and in the court of public opinion.

  1. Assessed our overall cyber risk, and used those findings to minimize the risk.
  2. Deployed a leading EMM (enterprise mobility management) solution and top-ranked network security tools, and used those tools according to vendor recommendations.
  3. Developed a comprehensive security training program for all employees, contractors, and vendors who are allowed regular access to our network.
  4. Monitored the network, and quickly responded to identified attempts to compromise corporate data, including promptly closing any identified security gaps.
  5. Refined and adapted our network and mobile security practices as new threats were identified.

Enterprises have a duty to prepare for known threats. The five steps listed here are especially important in light of a court decision in the Target data breach. A court ruled in December 2014 that companies have a duty to safeguard customer data, and not to disable security features that could have prevented a breech, or ignore warnings of an attack.

One of the most important things a company can do to protect itself, its executives, and its board of directors from regulatory and legal problems is to create a company culture that focuses on security. "We tell all of our customers that there is no one-time solution to mobile security," Agarwal says. "New devices, new threats, and new employees are always coming into the workplace, so ongoing training, policy updates, and constant monitoring and policy enforcement are critical for any security risk program to succeed."

Mobile printing is one of the last areas in enterprise data security to be protected. The Information Commissioner's Office (ICO) for the United Kingdom recently issued its annual report on fines given to companies that failed to protect consumer data, and a surprising number of those fines were given out for data that involved data loss traced to multi-function devices (MFDs) such as copiers and scanners or multi-function printers (MFPs), including printed records and faxes.

But, says Agarwal, multi-function printers and copiers are still often ignored by U.S. companies planning their enterprise IT security strategy. "Modern multifunction printers (MFPs) can print, copy and scan, and have Internet connections that allow users to scan and print from cloud applications or mobile devices. Many of them have more storage and processing power than the desktop computers in use just a few years ago," he points out. For details on the risks inherent in MFPs, and how to secure them, click here for details.

Breezy delivers device and operating system agnostic secure mobile printing with on-device encryption for smartphones and tablets running Android and iOS operating systems. Breezy adds an extra layer of protection to the mobile devices that connect to your network or store your data. For more information on mobile device security and secure mobile printing, watch this video from Breezy, download The Definitive Guide to Mobile Printing, a free ebook, or click here to schedule a Breezy demo now.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.