There’s no question that there has been a fundamental shift in how employees interact with IT. This transformation is driven by devices like laptops and smartphones, as well as services like remote access, social media, and Webmail. Without access to corporate data, it’s impossible to accomplish tasks in a meaningful way, but the days when a solid perimeter firewall was enough are long gone. Organizations need the right combination of tools and policies to minimize the risk of breaches that put sensitive information in the wrong hands.

The Consequences of Data Loss

A breach that leaves Personally Identifiable Information vulnerable can have far-reaching and devastating consequences for individuals and organizations. Examples of information hackers try to get their hands on include names, Social Security numbers, credit/debit card numbers, date of birth or health records. No matter how your company handles a data loss incident, it’s likely your security and privacy policies will come under intense scrutiny. Inevitably, customers tend to lose confidence in organization’s that have experienced a data breach, which means lost business.

The average cost of a data breach in 2020 is $3.86 million, according to a report from IBM and the Ponemon Institute. Not surprisingly, reputation damage and loss of business is the biggest single contributor to the cost of a data breach, accounting for 56% of the total cost for U.S. organizations. In addition to potentially catastrophic loss of business, there are costs associated with customer support, reputation management, productivity loss, data recovery, and legal fees. Organizations may also face fines due to laws and regulations meant to protect personal information, such as HIPAA. To reduce the risk of data loss and the associated costs, companies need a multi-layered approach to data loss prevention.

Implementing a Multi-layered Approach to DLP

A holistic strategy should start with content monitoring at data exit points, such as external hard drives and email messages. Your strategy should also include encrypting data to prevent unauthorized users from gaining access to sensitive information. Finally, a multi-layered Data Loss Prevention Strategy requires compliance from end users. This means your organization must create and enforce rules for proper data use. Prioritize management of data by choosing a solution that monitors and controls distribution of private information at exit points. You can simplify configuration, deployment, and management by implementing a solution that protects data at both the endpoint and the email gateway.

Controlling what end users can do on their devices is one of the easiest, most effective ways to reduce risks to your data. With this in mind, your organization should focus on managing the use of network-connected devices, managing access to websites, and controlling the use of applications, such as remote access, file sharing, cloud storage, etc.

Determining Your Data Loss Prevention Needs

Achieving a smooth Implementation of content monitoring, encryption, and policy compliance will require planning and preparation. You will need to have an understanding of the industry or government regulations that apply to your organization, and which laws/requirements apply to your business in your region. We highly recommend consulting a corporate attorney to make sure you have a clear picture of your obligations. As part of the planning process, you should define and document business drivers, regulatory/legal requirements, and objectives for your data security implementation.

As with any major project, you need to secure buy off from your organization’s executives. You will need their support for your strategy to succeed. Having a clear, well-researched plan will help you educate them about your goals and the benefits of implementing your plan. Since sensitive data is generated and shared throughout departments, you should organize a project team with representatives from across the organization. Consider including individuals from the senior management team, human resources, IT admin, finance, etc. A well-rounded team will help you identify sensitive information, determine where this data resides, and learn how the data is used and by whom so you can take appropriate action to secure it. This will help you understand the data’s role and who could accidentally expose data.

Along with your team, you should evaluate the risk and potential consequences of a data breach for each data type. You can then use that information to prioritize the data that poses the greatest risk if breached. Create policies for preventing loss of data, including what steps to take if your policy is violated. and remediation actions. Perhaps most importantly, you need to educate users of your policies, and their responsibilities. To ensure the success of your plan, all employees need to be aware of the policies if you expect to enlist their help in protecting the data they handle. Once users know the expectations, you can hold them accountable.

Best practices for Implementing a Data Loss Prevention Strategy

1. Begin with a transparent security policy. Give your users a document explaining the key aspects of your policy and have someone available to answer questions. Provide information on the types of data you’re trying to protect and make sure the organization’s motivations are crystal clear.
2. Deploy data protection technologies to prevent accidental data loss. Users are human and accidents will happen. Laptops can be lost, emails are often sent to the wrong address, and malicious links catch people off guard. You should be protecting against accidental data loss by deploying security solutions such as content control, device control and encryption to render data unreadable without a password.
3. Start with a small subset of prioritized data and slowly expand the rules. You can easily overwhelm your IT staff by implementing your entire plan at once. The process will go a lot smoother if you start small, and allow users to become used to the changes before implementing new ones.
4. Avoid accusatory language in notices, or you run the risk of making users defensive. Instead of accusing the user of purposely violating your policy by sending sensitive data, gently notify the user that it looks like they might be sending data in a manner that breaches policy.
5. Your goal isn’t to catch users breaking the rules, it’s to prevent behavior that puts your organization at risk in the first place. Educate users on the correct way to use and send data securely.

What to Include in Your Data Security Policy for End Users

Once you’ve determined your strategy, it’s time to create the policy that you expect users to follow. The information below can serve as a great jumping-off point for creating your own policy. You should outline behaviors expected of employees when dealing with data and link it to your Acceptable Use Policy and Information Security Policy.

Purpose

Explain the purpose of your policy, basically an opening statement about why you are implementing your policy, and your objectives. The goal of this section should be to create awareness about the importance of following this policy.

Scope

Include a list of individuals or user types that are expected to comply with your policy as well as a definition of the data it’s meant to protect. Identify the different types of data and include examples.

Employee requirements

Here are some requirements we recommend including in your plan. Please note, this is not policy document, and is not legal advice. This simply outlines some helpful items to include when creating your own policy:

1. Complete security awareness training and agree to uphold the acceptable use policy.
2. Visitors should be escorted by an authorized employee and restricted to appropriate areas. If an unknown, un-escorted, or otherwise unauthorized individual is identified in your organization, the appropriate person should be immediately notified.
3. Users should not reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by your organization.
4. All printed materials containing sensitive information should never be left unattended at user workstations.
5. Require use of a secure password on all company systems and create a password policy. You should require that work credentials are unique and not used on other external systems or services.
6. Require terminated employees to return all records ( in any format) or devices containing sensitive company information. Employees should be notified of this requirement during the on-boarding process, and should sign documentation to confirm they understand this requirement.
7. Require users to immediately notify the appropriate person in the event that a device containing in-scope data is lost.
8. Outline how users can notify the appropriate person to report suspected non-compliance with your policy.
9. Provide additional guidance to employees who work remotely and the precautions they must take when working outside of the office.
10. Ensure users never leave assets that contain sensitive data exposed to theft, for example visible in the back seat of your car.
11. Data transferred within your organization should only be exchanged via business-provided secure transfer solutions, such as encrypted USB, authorized file sharing, internal email, etc. Be sure to let users know who they can contact with questions about sending data if they are unsure.
12. Require that information being transferred on a portable device, such as external hard drive, is encrypted in line with industry best practices and applicable regulations.

Loss of sensitive data or proprietary information can cause permanent damage to your business. Your organization’s Data Loss Prevention strategy should consist of content monitoring, data encryption, and policy compliance. It may seem overwhelming, but data loss prevention doesn’t have to be difficult or expensive. Les Olson company’s team of IT experts can help your business find the right solutions and get them implemented and configured correctly. Request your free comprehensive Network Security Analysis to gain insight into your network risks and how to address them.[/cz_title]

Disaster Recovery Plan…Why?

For every business, success is earned and built through careful planning and smart decision making. It’s only natural that you’d want to safeguard your business from danger as you plan for your future. In today’s always-on, digital world, one of the most critical factors to business success is data, and studies show time after time that data loss can be the demise of a business. The costs and risks associated with downtime are substantial, and the damage to your business’ brand and reputation are immeasurable.

While there’s no way to predict the future, Murphy’s Law tells us anything that can go wrong, will go wrong. If you don’t have a well-thought out recovery plan, your company’s data is teetering on the edge of a cliff without a safety net. Here are some scenarios where a fully-managed Disaster Recovery Plan could save your business:

User Error

We all make mistakes, like accidentally clicking a malicious link, dropping our computers, misplacing a mobile device, or deleting something we intended to save. User error was cited as the leading cause of data loss in a 2015 Databarracks survey.

Hardware Failure

Hard drives, servers, computers, and other devices have varying life expectancies and refresh cycles, but hardware often fails. Whether it’s due to normal wear and tear, defects, or the unexplainable – businesses need to be prepared for the worst.

File Corruption & Software Failure

Software will also occasionally fail. Files and data can become corrupted and things may be deleted without warning. In addition to providing complete restores for entire machines, Disaster Recovery Solutions allow for data recovery.

Natural Disasters and Extreme Weather

Small businesses lose an average of $3,000 per day after closing due to a major weather event. It’s impossible to predict when such an event will strike and the resulting power outages, flooding, and other issues they will create.

Insider Threats

If a disgruntled employee were to intentionally encrypt, delete, steal, or corrupt sensitive information; having your data backed up ensures that it can be recovered and restored to help mitigate damage to your business.

Cybercrime

Viruses, malware and cybercrime (especially ransomware) are an increasingly dangerous threat today. The Ponemon Institute’s 2015 Cost of Cyber Crime Report claims that businesses sampled saw an average of 160 successful cyber-attacks per week.

The Solution:

Adding a Disaster Recovery Solution and implementing a Disaster Recovery plan can protect your business from the risks associated with data loss, however not all solutions are created equal. It’s important to have a backup and disaster recovery solution that provides benefits beyond file restoration.

Be Prepared for Any Disaster

Having a Disaster Recovery Solution is a good idea, but an actual data-loss event is not the time to use it for the first time. Additionally, not all disaster recovery efforts are the same. For example, recovery from a natural disaster like fire or flood can differ from a cybersecurity attack or a user error.

It’s important to simulate coordinated disaster recovery scenarios to ensure all the necessary technology is in place, personnel is trained, procedures are in place, and data is restored as fast as possible.

Cost Savings

In a worst-case scenario, the speed at which you can restore business continuity (a term commonly used for maintaining online systems, data and functionality) determines the magnitude of financial loss. Advancements in cloud technology offer small businesses an unprecedented opportunity to tap into resources that were once only available to large enterprise organizations. Cloud-based storage can help businesses drastically reduce the cost of data replication, offsite storage, and more.

In the event of a disaster, you can spin up virtual servers in the cloud to get your business back online in hours instead of days, mitigating your financial loss. The most current backup of your system will always be available – allowing you to get back to business, drive revenue, and restore employee productivity.

Peace of Mind

Just like any other technology, a Disaster Recovery Solution can only be effective if it is maintained, and unfortunately many solutions on the market are implemented and subsequently abandoned. Your solution should be supported by a team of technicians that constantly check to ensure your industry-standard, AES-256 encrypted data backups are verified – so that they will always be reliable, and available to use in the event of downtime.

In the end, backup and disaster recovery is about peace of mind. Hardware fails, employees make mistakes, security breaches are on the rise, and natural disasters are unavoidable; even in the face of unpredictable events, you can rest assured that you have a reliable solution and a reliable team in place at all times with a Disaster Recovery Solution from Les Olson Company. Knowing your business’ data can survive all of the above with the help of our team can enable you to confidently move your business successfully forward.[/cz_title]