In the third installment of a five-part series, five senior compliance practitioners outline their best-practices strategies for protecting their firms from data breaches.

What are the critical parts of a best-practices plan on preventing and detecting a data breach?

Meet the executives

 

Andrew Beagley

ANDREW BEAGLEY

Chief Risk Officer

OptimEyes.ai

Years in compliance: 30

 

 

 

Kortney Nordrum 

KORTNEY NORDRUM

Regulatory Counsel & CCO

Deluxe

Years in compliance: 7

 

 

 

Laurie Roberts

LAURIE ROBERTS

Founder and President

Cheatham Roberts Consulting

(Formerly Managing Director and CCO of Civitas Capital Group)

Years in compliance: 26+ 

 

 
 

KC Turan

KC TURAN

SVP, Chief Risk, Compliance & Ethics Officer

UPMC Health & Insurance Services

Years in compliance: 20+

 

 
 

Steve Vincze

STEVE VINCZE

President & CEO

TRESTLE Compliance

Years in compliance: 25+

 

 

DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.

ANDREW BEAGLEY: In the new world of data privacy and cyber-risk, it is imperative organizations shift their monitoring focus to automated processes to prevent and detect data breaches in real time. Overall, increasing the number of data points used for control assessments; ranking vulnerabilities by risk level; and being able to quantify risk will all support an organization’s efforts to mitigate the risk of data breaches. 

 

KORTNEY NORDRUM: 

  1. Provide everyone the right tools and test to make sure those tools work and are updated regularly.
  2. Train and educate your workforce on cyber-security and hygiene practices and the vigilance it takes to do it right.
  3. Build, train on, and test your incident and/or crisis response program; don’t make the first time people see it be when it counts the most.

LAURIE ROBERTS: Critical parts of a best-practices plan to prevent and detect a data breach include starting with a thorough cyber-security assessment with your internal IT department or an external vendor. Protect your data. Make sure the organization has the software and technical capabilities to protect the organization’s data. Invest in a multi-layered quality cyber-security system with end-point protection on all devices, multi-factor authentication, and a virtual fire wall for the entire organization. Organization internal systems should regularly back up and run regular system checks. Test regularly the policies and procedures for prevention and detecting data breaches. Review at least annually policies and procedures and incorporate improvements based on testing results. Embrace training for the organization.

 

KC TURAN: The human component is critical to prevention and detection. You can have great automated and technology controls, but bad actors are getting better at exploiting the weakest and most fruitful points within the cyber-risk ‘intrusion kill chain.’ This directly attaches to the human element within the larger dynamic, and human lapses in judgment are what lead to the majority, or at least the plurality, of data breaches. Email and endpoint security controls are very important, but clear and ongoing employee training, communications, and phishing simulations are critical. Our employees are the most potentially variable yet strongest line of defense.

 

STEVE VINCZE: First, as every good compliance and privacy professional knows, the best way of preventing a breach is to know where your risks of a data breach are. 

  1. Conduct a risk assessment by doing a data mapping exercise so you know exactly: What data you collect, what you use the data for, how you use the data, with whom you share the data, and why you collect and share the data. Once completed, you can identify any data and date processes that are particularly weak, vulnerable, in need of particular vigilance, or susceptible to breaches and then develop and implement an appropriately scaled set of security measures to strengthen your data security system.
  2. Develop clear, sound policies and procedures to your target, relevant audiences.
  3. Communicate these policies and procedures through practical training using true-to-life case studies.
  4. Engender a culture of shared ownership, awareness, and accountability to report and identify any concerns, i.e., When in Doubt, Reach Out; See Something, Say Something.
  5. Monitor and audit these areas regularly and periodically to identify vulnerabilities sooner rather than later and to confirm processes are working as intended.
  6. Report status and findings regularly and periodically to the executive team and board.
  7. Discipline and hold verified violators of standards and policies accountable.
  8. Implement corrective actions for any breaches to prevent repeat occurrences.