The headline in USA Today blared, “2019 on track to be worst year ever for data breaches.” There were more than 3,800 breaches reported in the first half of the year, a 52% increase from last year. That’s the bad news.
The worse — and, frankly, scary — news is that it only takes one breach to seriously impact your mailing business. One mailing company was hit in late 2018 by a simple ransomware trojan. One bad click from a user resulted in a potential compromise affecting up to 700 companies and 1.2 million individuals nationwide, added to days of lost business and weeks of expensive recovery efforts. Months later, the effects still linger.
We all know that mailing and outsourcing clients increasingly require costly external audits and adherence to strict standards such as NIST 800-53 and HITRUST to protect personally identifiable information (PII) and protected health information (PHI). But those standards are really only the starting point, and in fact, they are little more than checklists if there isn’t a serious company-wide effort to infuse what I call “data defender DNA” into your organization.
This infusion starts at the top and flows down to every aspect of the production and IT chain. One example of this, and a good starting point for getting the message out, is creating and empowering an Incident Response Team (IRT). You can find plenty of templates for writing a decent data breach and risk mitigation plan, but those templates don’t get into the nitty-gritty where they need to be.
Your IRT can be the springboard to giving your company data defender DNA. Based on my experience, here are 12 questions every company should ask and answer to best avoid the nightmare of a breach.
1. Is your IT staff getting enough notifications?
If your IT and network staff isn’t getting daily threat messages that need a response, you’re probably not prepared enough. Most incidents happen without your organization knowing it. Either the alarm was never sounded, or nobody was looking when it did. Avoiding complacency requires an attitude of security awareness. Don’t outsource this — your data defender DNA protects your organization. Find out what trips your security monitors and test these conditions regularly.
2. Do you have a server dedicated to logging events?
Is your IT staff constantly requesting more storage and more equipment dedicated to collecting and maintaining logs? It is good to ask them why.
It is important, if not critical, to log everything. If it can be logged, it should be logged. Every file you receive, every connection to your server, every touch of an application, every update — log them all. Ensure your vendors and their software are configured for proper logging. And make sure someone is looking at the logs by consolidating them into one server.
It’s no longer enough to simply install an intrusion defense system (IDS) to look for internal threats and a unified threat management device (UTM) to replace your aging network firewalls. People who are well-versed in the technology and design of your specific system should actively manage these devices, validate their configurations on a regular basis, and respond in real-time to events.
3. Can every member of your IRT name all the other members?
The IRT isn’t just a list of names for a plan that never gets exercised. If everything is going too smoothly, it could be masking some deeper problems.
Establish a quick mailing list for your IRT and test it frequently. Have the IRT get together in physical or phone meetings regularly so they know how to reach each other quickly. Think how many well-known breaches could have been avoided if the people who knew about an incident could have reached their counterparts faster.
4. Does every computer user know what to do if an “incident” occurs?
A user may have clicked a link in a phishing email, or someone may have tried to penetrate your network security. Your first actions must be to isolate and limit the problem. Unplug the systems in question. Take them offline. Block your network access. If a client experiences a breach, block them so their problem doesn’t become yours.
Formally write up every incident and train every single computer user in your organization on how to report it. The process should be accessible and as easy as a phone call. Every user should know how to unplug their computer from the network, or — at minimum — turn the system off if an unexpected link is clicked or evidence of a breach shows up. Data defender DNA must be infused at every level.
5. Do you ever hear “it was no big deal?”
“It was no big deal” is a major red flag. Every incident is potentially a big deal and your IRT needs to determine if it really resulted in a breach.
In the transactional mailing business, a misplaced critical document can be a risk for privacy or a HIPAA breach — nobody stops looking until the missing document or mail piece is located. Dealing with data, we must find every detail related to the incident and determine if it did or could have resulted in improper disclosure.
6. Does your IRT know whom to contact in every department, and does every department know who the IRT is and what they do?
Your IRT needs to know whom to contact in every department, and possess the authority to bring in external experts, your cyber insurance carrier, law enforcement, or your legal counsel. Waiting for long approval processes doesn’t make for good risk mitigation.
7. Have you reviewed your severity categorization rules recently?
Severity categories must be reviewed frequently, as the nature of data breaches is always changing. Trojans, malware, ransomware, and viruses that spread are always considered critical. But what about thumbdrives, wireless access points, or text messages? If you have installed new software, review your severity rules — and set up logging to enforce them.
8. Do you know who to contact if the breach is credit card-related (PCI-DSS) or healthcare-related (HIPAA)?
When a breach occurs is not the time to be assembling this data. Have it ready and available, and most importantly, available outside your regular IT/ERP systems. When an incident occurs, assume you won’t have access to your internal systems.
9. Do you know the penalties for failing to notify required agencies or clients?
For example, the federal HITECH law has potential fines as high as $250,000 per incident for failure to meet notification standards. Your insurance carrier may deny your claim if you fail to report a breach according to their requirements. Always know, and revisit frequently to update, the specific rules and regulations that apply to you and your clients.
10. Are you continually learning, or just retraining?
You probably conduct annual security training for your employees. Make sure this is more than just an hour spent retraining using last year’s material. Always use every incident and every new development as an opportunity for learning.
If you haven’t invested in a phishing simulator for testing, this is a tool you shouldn’t ignore. Your security is only as strong as your weakest user reading a malicious email. It is important to never stop testing and never stop learning. If there are lessons learned, incorporate them into your incident response and risk mitigation plan.
Here are two more questions that should be easy to answer:
11. Do you have a readily available list of your clients, what data they own, and who to notify in case
of a breach?
12. Does your cyber insurance carrier have special instructions on who and when to contact them?
Protecting and ensuring compliance for every business today is more than a full-time job; it requires 24/7 monitoring of all data, networks, and internal processes. The security of your data should be priority-one and it is important to implement the proper protections, whether internally or by partnering with a third-party provider. Without these fundamental controls, there is a definite opportunity for data to be unmonitored, leaving a company open to a multitude of risks that with the proper planning and processes can be averted.
Scott Stephens is President, DATAMATX, providing customized print and electronic document solutions for mission critical customer communications for over 200 clients nationwide.