Data Security Policies and Procedures Running Empty
Original article http://www.law.com
By Catherine Dunn
What could your company do to improve its data breach preparedness? For starters, try testing employees’ mobile devices for security and changing network access rights for workers who’ve been terminated, according to a recent study by the Ponemon Institute and Experian Data Breach Resolution. The study, “Is Your Company Ready for a Big Data Breach?”, sampled 471 compliance, privacy, and IT personnel at U.S. companies — 52 percent of whom said their organization experienced more than one breach of sensitive business records in the past two years. Among the respondents, 21 percent said they report directly to their company’s compliance officer; 19 percent to the chief information officer; and 17 percent to the general counsel.
First, the authors pointed out a few big holes in the respondents’ data security practices that could lead to a breach. Even though 78 percent said employees are allowed to bring their own devices (including smartphones and tablets) to work, 33 percent said they don’t require those devices to be tested for security purposes before they’re hooked up to company systems. Another 28 percent said they were unsure if such a requirement exists. When it comes to who can access the company network, “less than half (44 percent) of respondents say that their organization is effective in authenticating and making sure that only the appropriate employees and contractors have access to its information systems,” the report states. And then there are the ex-employees who certainly shouldn’t have access to company data. Only 43 percent of respondents said their employer “promptly” changes network access rights when an employee or contractor leaves the job. The report indicated that many organizations aren’t monitoring their systems for unusual traffic. “Only one-third of respondents say their organizations are taking such preventative measures as monitoring for potential risks to the network and enterprise system,” the authors say. “Also, many respondents (36 percent) do not know if this practice is in place.” The report also recommended more privacy training for employees: “Only 44 percent of respondents say their organizations have a privacy or data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information.” Once an incident has occurred, companies could stand to improve their communication with customers whose data has been compromised. That includes training customer service reps on how to answer questions about a breach (only 30 percent of survey respondents said they do this), and verifying that contact with each victim is complete (only 11 percent of respondents are doing this). “Based on the findings of this research, many organizations are losing opportunities to reduce the risk of negative opinion and loss of customer trust by not focusing on communications with victims,” according to the report.