I’ve had bad experiences with water. Pouring out of broken washers and gushing from burst pipes, water has repeatedly defied my attempts to keep it contained. But I need water, so I maintain my plumbing, use water sensibly, and, if I suffer a leak, I clean up the mess and go on.
Why am I talking about water? Modern businesses need data, like we need water. It is simply not feasible for a business to stop using data or to lock its data down so tightly that it’s secure, but not usable. Instead, businesses should approach data security practically, with attention to both security and incident response.
Data security comes first. Leaky plumbing wastes water, rots wood, and makes a comfy place for mold to grow. Businesses should employ a good data security posture, including conducting regular reviews of their information technology systems to identify weaknesses and implement controls. Businesses in certain industries are required to engage an outside security consulting firm to perform annual security risks audits, and this is a good practice for all businesses.
Businesses should also use data sensibly. Just like water conservation, businesses should control their data flows through good data governance. Every business should determine the what, who, and why of data consumption:
- What data (external, internal, personally identifiable, etc.)?
- Who has access to it?
- Why do they have access?
Identifying data flows should be part of every new project and audits should be conducted at least annually. Businesses should use the results of data flow analyses to conduct regular maintenance on their data “plumbing”, including plugging leaks by limiting access to those who have a business need and flushing data the business no longer needs.
Data flow analyses are also good tools for developing and implementing data security training programs for employees. Human hands—mine in particular—are to blame for most of my water issues, and the same is true for data security incidents. Businesses should implement training programs that explain why data security is important, provide information about data security threats and vulnerabilities, and instruct personnel how to respond to incidents.
Unfortunately, no matter how good a business’ data plumbing is, and how well a business is governing its data, data security incidents will happen. So, businesses should plan for leaks by developing, deploying, and regularly practicing a data security incident response plan. The four steps that a business should take after a data security incident should be:
- Identify the occurrence and scope of the incident.
- Contain the incident and mitigate its impact.
- Notify any affected individuals.
- Learn, evolve and mitigate any future similar incidents.
A data security incident response plan is simply a proactive way to plan and practice accomplishing those four steps. Developing an incident response plan should be a multidisciplinary effort involving, at a minimum, a business’ information technology, legal, human resources, and public relations teams. An incident response plan, however, is only as good as its execution. Businesses should use drills to identify weaknesses, enhance response strategies, and facilitate ongoing communication among the members of the incident response team.