10 actions to protect data assets

10 actions to protect data assets

10 actions to protect data assets — Janco has found that more than 90% of all data breaches affecting 500 or more individuals are caused by an organizations’ own employees, not hackers. Since ninety percent of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own employees and business associates CIOs and CSOs need to take a leadership position in managing this. By taking specific actions, a company can greatly reduce the likelihood of these internal breaches – both the careless mistakes and the malicious acts.

Here are 10 actions that a CIO or CSO can take are:

  1. Instill on all employees that they are the first line of defense when it comes to data protection and data security.
  2. Develop and implement specific policies and procedures regarding the handling of proprietary or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
  3. Validate that the policies and procedures meet all industry and mandate compliance requirements.
  4. Improve training and require all employees to take. Many organizations think that a general 30-minute online information-security training followed by 10 questions is sufficient for employees to know what they should do in a given situation. However, the lack of specificity to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
  5. Maintain a tight control on all data assets and ensure only the minimum necessary access to the information. Organizations need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most damaging impact on an organization can be caused by a disgruntled employee who is terminated from the organization, yet his or her access to information is not cut off in a timely fashion.
  6. Require all passwords be changed frequently and not be repeated.
  7. Communicate, enforce and apply consistent sanctions for information privacy or security violations. If there is no punishment for accessing or sharing information, people are more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures.  An organization can suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
  8. Monitor employee activity both on PCs and mobile devices. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities.
  9. Ensure adequate oversight or governance of information security programs. This is necessary to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.
  10. Have independent 3rd parties test the data protection and data security compliance practices.

Security PoliciesSecurity Policies – Procedures – Audit Tools

Author: Victor Janulaitis

M. Victor Janulaitis is the CEO of Janco Associates. He has taught at the USC Graduate School of Business, been a guest lecturer at the UCLA’s Anderson School of Business, a Graduate School at Harvard University, and several other universities in various programs.