An Ounce of Prevention is Worth a Pound of Cure: A Practical Guide to Reducing the Risk of a Data Breach

Most organizations collect and store personal or sensitive information about their clients and employees. Protecting sensitive or private information should be a priority for all organizations, regardless of their size.   Threats to information security arise from external and internal sources, and every organization must take a comprehensive approach to reduce the threat of a data breach.  In other words, strong passwords and secure networks alone are not a silver bullet.   

A common misconception is that data security issues mostly plague large corporations.  But studies show that smaller companies and organizations are targeted at least as often as larger corporations, because smaller companies may have less protection in place to defend against a data breach. 

Here are five effective and efficient steps that any company, large or small, can take to reduce the risk of a data breach:

1. Access to confidential and sensitive information should be restricted: Limit access to sensitive data or protected information to those employees whose job function requires access to the information.

2. Vendors must be screened: A vendor may have access to or handle an organization’s sensitive data as part of the service it provides.  The organization must ensure that the vendor: (a) has security measures in place to protect that data, and (b) is using the organization’s data for no other purpose than to provide the services for which the vendor was retained.

3. Employee training and restrictions: Organizations should implement policies and practices to ensure data security, and train all employees, so they are aware of the organization’s rules and expectations.   For example, employees of each organization should be trained on:

•  the types of information considered sensitive or private;

• correct procedures for storing and deleting sensitive information;

• reporting of suspicious emails;

• passwords (they should be strong, never duplicated, and changed frequently). 

4. Mobile Devices:  Organizations that permit employees to use personal mobile devices for business-related purposes should consider restricting the manner in which the devices are used to access the organization’s data.  For example, software can be downloaded on a personal mobile device which separates the business-related data from the personal data, and permits an organization to scrub the device remotely in the event the device is lost or stolen.

5. Secure Networks and Encryption:  Organizations should encrypt sensitive or private data, utilize firewall protection in their networks, and ensure that Wi-Fi access is always secure and password-protected. 

Preventative measures may seem time-consuming and expensive to implement.  But a data breach could cost an organization millions of dollars in expenses and damages.  The cost an organization may incur in a data breach incident can be as high as several hundred dollars for each record that is compromised. Even the most prudent and conscientious of businesses cannot guarantee it will never fall victim to a data breach.  But an organization is always well advised to continuously monitor its potential vulnerabilities and implement measures to reduce the risk of a breach, especially as technology evolves.