In its 2013 global data breach study, the Ponemon Institute reported that data breaches experienced by U.S. companies continue to be the second most expensive in the world at $188 per record. The study also reported that U.S. companies had the second greatest number of exposed or compromised records per breach at 28,765, resulting in an average total organizational cost of more than $5.4 million per breach.
By beginning the implementation phase of a newly established security plan, your team can take an important step forward in preventing data breaches.
Smart Business spoke with Stephan J. Cico, managing director of All Covered Pittsburgh, about implementing a security plan, which follows his last article about building a security plan.
Where’s the best place to start?
A good place to start the implementation is to have a company meeting. This serves a dual purpose. First, it communicates to employees that the implementation of a new security plan and/or revised policy is underway. It allows them to ask questions and feel like they are part of the bigger plan.
It’s also an opportunity to provide a brief security training. The session needs to talk about how to create strong passwords, identify questionable email attachments and avoid potentially troublesome websites. Employees can take these ideas home as well. Once employees understand how the plan will work and how they can help keep the network secure, they’ll be more diligent moving forward.
How should documenting be handled?
Document all the agreed-upon policies, procedures and installation information, and then distribute the documentation to all interested parties. This document should always be on hand in a centralized location in case sections of the protection plan require an update or disaster recovery plans need to be put into action. Have employees acknowledge in writing that they reviewed and understand the policies.
What else do employers need to know?
When it comes to the physical work, images of servers and desktop configurations should be updated regularly. In case an emergency recovery is required, an old desktop image is likely missing critical security updates. This means additional time for the IT team to update each unit individually to keep it on par with the overall protection plan.
The selected endpoint protection software should be installed on all computers, servers and mobile devices. This software should be updated on an ongoing basis. A minimum of two IT team members (for redundancy purposes) should remain active on the email notification list for critical updates and alerts. It’s not uncommon to have ‘emergency’ patch alerts to plug security holes against a recent threat. By staying up to date on security best practices and current threat news, the software is kept current and the network remains protected.
Regardless of the business’ size, a solid firewall is a key part of keeping networked computers and business data safe and secure. A firewall serves two main purposes — it filters what traffic comes into the network, and controls what users may send out of the network. The specific firewall settings will vary based on the other security-related processes and your business needs.
What’s important to know about mobile devices?
Mobile devices are possibly the biggest variable when it comes to a business protection plan. According to a 2013 global security study, mobile malware exploded by 400 percent over 2012. Additionally, on average, today’s employee utilizes three different devices for work-related tasks.
One of the biggest potential threats is a public network. Whether at the airport or coffee shop, the potential for malware and other threats are ever present.
When implementing the mobile device portion of the plan, especially in a bring-your-own-device model, sit down with each employee to review the new security policy and how it affects mobile devices. They may not be aware of all the security holes that exist in today’s apps and connection points. For example, according to documents leaked from the Government Communications Headquarters, the National Security Agency has used Angry Birds, Google Maps, Facebook, Twitter and LinkedIn as ‘entry points’ to private mobile devices.
Insights Technology is brought to you by All Covered Pittsburgh