Bernstein Data Realizes the Importance of Limiting Damage from Bad Actors.
According to a study by IBM, the average data breach in the U.S. costs a business $9.4 million. In 2021, the number of data breaches and cyberattacks rose over 15% from the prior year. Ransomware costs in the U.S. quadrupled from 2020 to 2021, according to a report by the Financial Crimes Enforcement Network.
As an organization, how can you avoid becoming another victim and statistic? Preventing bad actors from infiltrating your organization’s network and data is paramount – cybersecurity and data protection are foundational. But protecting sensitive corporate and personal information calls for minimizing the risks and impacts of exposure should a breach occur. This requires a comprehensive suite of Information Governance and Records Management solutions, along with ongoing training and vigilance.
Limiting your data reduces the size of your data at risk – the “target” – and is a vital step. The more data you have, the greater your vulnerability. Having a Retention Schedule, disposal processes, and a destruction policy ensures you are only retaining what is essential to operate the business, including disaster recovery and complying with regulatory obligations and legal requirements; this minimizes risk exposure and related costs. Taken together, this creates an effective “defensible disposal” posture.
Any internal policy or practice that exacerbates risk should be scrutinized. For example, many companies rely on e-mail to transmit data and files, which many times includes personal information of customers, patients, employees, etc. Doing so also duplicates information onto multiple computers; this creates an even bigger “attack surface” of sensitive information to be managed.
Reducing Negative Consequences
Select industries like healthcare are subject to specific regulatory oversight about data breaches. When personal data held by a healthcare provider is compromised, this triggers multiple consequences under HIPAA regulations. In those instances, the Office for Civil Rights (OCR) of the U.S. Department of HHS may levy fines based on the number of people affected and the amount of personal information exposed. In addition to the OCR publicizing breaches, the exploited organization must submit to an audit, perform remediation, provide every piece of information compromised, and notify everyone impacted.
According to a study by Proxyrack, the top five industries most targeted by hackers since 2004 are (in order): web-based businesses, healthcare, financial, government, and retail. For any business or organization that suffers a hack, the financial and reputational costs can be substantial. But when a victimized organization had been practicing good Information Governance practices and Records Management procedures, it may lessen possible penalties and negative repercussions by demonstrating it was doing everything possible to protect personal information.
Keeping E-mail Transitory
Despite firewalls, data loss prevention software, and other cyber-risk measures, bad actors still access organizations’ systems and data. Malicious e-mail is a common culprit. An unsuspecting or careless user clicks on a link in an e-mail that appears harmless but instead launches malware. If the e-mail client allows scripting, simply opening the e-mail may be enough to activate a virus. Once a breach happens, how much data is vulnerable, even just within e-mails and related attachments?
The sheer volume of e-mail can be overwhelming, numbing risk sensitivity. The total number of business and consumer e-mails sent and received per day is forecast to grow to over 376 billion by the end of 2025. According to a Webroot report, 30 percent of global workers have clicked on a phishing link in the past year. To minimize risks, effective training is vital, which includes teaching employees to recognize suspicious e-mails before they cause damage.
Limiting the volume of e-mail reduces risk. E-mail should be used for transitory communication; it is not a document management system! Employees should also be taught about tools to move information with long-term value off the e-mail system, making it easier to retain, organize, and retrieve later. Absent any specific regulations, companies should strongly consider automatically deleting e-mails or at least e-mail attachments after a given period.
By carefully operationalizing industry-leading Information Governance policies and procedures, you can maximize the information security of e-mail, documents, files, and everything else that could attract bad actors, and reduce negative financial, operational, and/or reputational consequences.
Bernstein Data Solutions
- Identify Internally Hosted Data – Strategy-based processes, with accompanying technology, to identify records and personal data in existing data stores, applications, and business tools.
- Technology to Store and Archive Data – Enterprise Archiving solutions that enable the proper retention and disposal of information, including messaging, voice, structured and unstructured data.
- Apply Information Security Classifications – Information Classification (for information security purposes) aligned to record types, and those requirements applied at source, by incorporating Information Classifications in data source catalogues, archive design, and IT Asset Management knowledge bases.
- Utilizing Encryption to Safeguard Data – Encryption/De-encryption processes that protect personal data while allowing for eDiscovery activities.
- Processes to Facilitate Data Disposal – Processes to support and assure the disposal of information that is no longer required, especially personal data.
Solutions are built from a comprehensive set of Information Governance capabilities utilizing our proprietary IG Operating Framework. Click to view a ket set of solutions and capabilities.
"*" indicates required fields