One of my favorite sayings is that an ounce of prevention is worth a pound of cure. That is never more true than when it comes to protecting a company’s data. Even a simple mistake like using the wrong size window envelopes can expose customer data, leading to costly regulatory fines and regulations. And when a high-profile data breach makes headlines, the damage to a company’s reputation can be permanent. Just think of Cambridge Analytica, the disgraced and now defunct political consulting firm.
Like any health regimen, maintaining optimal security fitness begins with diagnosing potential issues, coming up with an effective treatment plan in case something does go wrong, and making the investment in good preventive care.
Steps to Take
Diagnosing potential threats and vulnerabilities to a business’ information system is the first step in maintaining the health of any security program. Implementing a formal risk management program that includes regular risk assessments and a risk mitigation plan identifies potential gaps. Of course, like any checkup, risk assessments are most effective when they’re performed on a consistent basis. While there is no hard and fast requirement for the frequency of risk assessments, most security experts recommend performing one at least annually or whenever there is a significant change to your operational or technological environment.
Once potential issues are identified, the next step is to come up with a treatment plan for correcting any deficiencies. A risk mitigation plan is the a road map to preventing security incidents and data breaches by minimizing the risk that identified threats and vulnerabilities pose to your information systems. To be effective, we have found that a risk mitigation plan needs to include specifics, spelling out who, what, when, and how you will correct identified areas for improvement.
Despite the best-laid plans, natural disasters and environmental emergencies can cause facility disruptions and IT malfunctions that jeopardize the ability to continue critical business operations. This is where having detailed business continuity and disaster recovery plans in place will help a business recover from life’s curve balls and restore critical functions as quickly as possible.
Providing good preventive care is the third essential component of a healthy security program. Make sure information systems include technical safeguards like encryption, multi-factor authentication, firewalls, malware protection, and network monitoring. Another step in prevention is to develop comprehensive security policies and procedures and require employees to undergo security awareness training that addresses procedures for information exchange and data handling, password management, and common security pitfalls like social engingeering.
Choose to Outsource Wisely
While all of the above heads off potential problems internally by anticipating threats, what security measures should you expect when you outsource your data to a third-party provider? Much like your own security program, the provider you choose should also have a contingency program that includes business continuity and disaster recovery planning, as well as a redundant IT infrastructure. You will want to verify that they test their contingency plans annually and incorporate identified security gaps into their risk mitigation plans.
However, all the planning in the world won’t prevent a data breach if your provider’s information systems are unprotected. That’s why it is important to comprise a review of their technical safeguards as part of your due diligence. Things to look for include encryption, multi-factor authentication, installation of firewalls, malware detection and protection, strong authentication controls, and 24/7 network monitoring. Additionally, the company should also require all of their employees to undergo the type of security awareness training listed above.
While most data breaches occur in less than a minute, it can take months to detect and mitigate the underlying cause of the breach. You will want to verify that your third-party provider has auditable service level agreements and cybersecurity liability insurance in the event a breach does occur.
And be sure to ask them about the security certifications they hold.
The Value of Certification
A company that leverages the expertise of security professionals to pursue proper certifications will ensure a security program functions at an optimal level. Certification is critical to gaining the peace of mind that optimum security measures are in place since most security certifications require companies to implement risk management, contingency planning, technical safeguard, and other security controls as part of the assessment process. During a certification assessment, auditors provide invaluable feedback on the necessary requirements and what is needed to correct any deficiencies.
In pursuing what certifications are important, learn about the security frameworks that address the unique requirements of your industry. Companies that accept credit card payments should maintain PCI certification. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), PCI certification requires businesses to meet stringent requirements, including change management processes, continuous monitoring, and maintaining seven critical security controls throughout the year.
HITRUST certification is a great option for businesses that handle protected health information. The HITRUST Common Security Framework provides a mechanism for companies to address rigorous HIPAA standards. HITRUST CSF is also mapped to several other security requirements, like NIST, FedRAMP, and the EU’s recently implemented General Data Protection Regulation. For companies working in financial services, the AICPA offers SOC 2 reporting, which assesses a company’s security program against five Trust Services Principles. As an added bonus, SOC 2 reporting is widely recognized across multiple industries.
Some security frameworks allow businesses to address multiple security requirements using a single certification. The HITRUST Common Security Framework is a great example of this “assess once, report many” approach to certification. For example, the HITRUST Alliance has partnered with the AICPA, which oversees SOC 2 attestations, to offer a joint reporting process that allows businesses to use the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.
With cybersecurity incidents and data breaches on the rise, implementing a vigorous security program is critical to the health and vitality of your business. By leveraging professional expertise to develop and maintain optimal security fitness, you can establish a proactive security program, protect your customers’ data, and safeguard your most valuable asset — your company’s reputation.
Harry Stephens is President/CEO, and founder of DATAMATX, one of the nation’s largest privately held, full-service providers of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations. He serves on the Executive Board of the Greater Atlanta Postal Customer Council, Board Member of the National Postal Policy Council (NPPC), Member of Major Mailers Association(MMA), and member of the Coalition for a 21st Century Postal Service. He is also immediate past president of the Imaging Network Group (INg), an association for Print/Mail Service Bureaus. As an expert on high-volume print and mail, he has frequently been asked to speak to various USPS groups, including the Board of Governors, about postal reform and other issues affecting business mailers. Find DATAMATX at