Author: Jeff Weeks, Sr. Vice President and Chief Information Security Officer
Protecting your company from a data breach is a 24/7 job, and with the cost of a data breach averaging $3.86 million dollars or $148 per record, data protection is a top priority. Unfortunately, a data breach can have many negative consequences and can take years to fully recover from. A breach may mean damage to customers, loss of customers, loss of money, loss of important data, forensic and other breach costs, reputation damage and more.
The good news is there are steps you can take to decrease the likelihood and impact of a breach.
- Develop Procedures to Protect Data
When it comes to data protection, it’s important to have the proper procedures in place. Basic security hygiene should not be hard for businesses of all sizes to implement. To start, determine what data you need to protect. This is most easily accomplished by classifying your data. Apply the requisite level of controls based on the data. For example, some data may be required by State law to be encrypted at rest. Additionally, practice good cyber hygiene by applying patches, scanning for vulnerabilities, performing penetration tests and fixing vulnerabilities. Conducting due diligence on third parties with access to your network and/or information is also a good idea. You’ll want to ensure these third parties are performing effective cyber-hygiene.
When establishing procedures, your incident response team should have a clear plan of action in the event of a data breach and be educated in the appropriate measures that need to be taken by law and for the business. It’s important the incident response team tests the plan at least annually. As part of this plan, have a list of pertinent contacts within your organization and any external contacts you may require such as a forensic firm, law firm, law enforcement contacts, vendor contacts, etc. In this plan, require incident documentation because such documentation may be needed later for insurance or legal claims. In the event of a significant incident or breach, have a plan including who will talk to the media and a team to write and approve external and internal communications.
- Backup Your Data
When backing up data, it’s important to establish a regular backup schedule. In the event of a ransomware attack, you may not have access to your data. Likewise, if your network is breached and you lose data or your network is corrupted with malware, it’s good to have a recent backup of clean data to restore from.
- Educate Employees
Employee awareness is of paramount importance in defending against attacks. The easiest way into a network for hackers is through trusted employees clicking on links or opening documents in phishing emails. Make sure employees are trained in how to detect phishing emails and establish a process for employees to report suspicious emails. You can even work with vendors that send fake phishing emails to employees to demonstrate what these emails may look like. Accounting and financial employees may benefit from extra training since they are a key target for phishing and social engineering attacks.
Phishing is not just limited to emails – it can occur over the phone. Someone may call posing as an employee asking for information about another employee or customer. They may even pose as an IT employee and attempt to have you download malware, gain control of your PC or attempt to steal credentials. Just like phishing emails, make sure employees are trained to identify these tricks and have a process for employees to report suspicious phone calls.
- Use Technology
Outside of good security hygiene, there are tools you can implement to improve your data protection. There are solutions available to help block phishing and spam emails, as well as encrypt sensitive information, control information flow outside of the organization, and monitor for unauthorized access to data. Technology can also be used to notify you of a suspected breach. These tools can be effective; however, sometimes hackers can get around them which is another reason why employee awareness is so essential.
According to Identity Theft Resource Center’s 2018 Data Breach Report, there were 932 reported breaches in the U.S. last year, exposing 47,231,256 records. By following security best practices and educating your employees, you can hopefully avoid being part of the statistic.
Learn more business online security best practices from First National Bank of Omaha’s Security Center.
The Internet offers a convenient way to conduct financial transactions. We are committed to maintaining strict standards of security to help protect our customers’ confidential personal and business financial information. Our online security is designed to provide for a secure exchange of information with our customers. We utilize multiple security protocols such as firewalls, data encryption and customer authentication techniques. If you have any concerns about the privacy and security of your accounts, you can contact us 24 hours a day, 7 days a week.
The Internet Society’s Online Trust Alliance has ranked First National Bank of Omaha as the Top Bank among its list of “the most vigilant about protecting consumer data” in its 10th annual online Trust Audit and Honor Roll.
About the Author
Jeff has been with First National Bank of Omaha for 20 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management and execution of information security for First National Bank of Omaha enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees and business partners.
Jeff is a member of FS-ISAC (Financial Services Information Sharing and Analysis Center) and PPISC (Payments Processor Information Sharing Council), MBCA Advisory Board (Mid-Size Bank Coalition of America), FishTech Advisory Board, Bellevue University Advisory Board, Minneapolis CISO Advisory Board, and he was recently appointed as an FNBO Board member. Over the course of his career, he has been awarded several professional certifications including Certified Information System Security Professional (CISSP).