Managing Risk: Part Tres!
First, I apologize about the delay on this last section, but hey…I’ve got thangs to do, okay? Any who, let’s get started. We’ve talked about risk in planning. We’ve talked about risk with an unplanned recovery strategy. Both of those scenarios are pretty bad, but neither situations can be as detrimental as a data breach. And I’m not talking about your data, but your clients’ data. Ever heard of PI or PII? Well that’s someone’s personal information. Some can be fairly public information, like telephone number or name.
Most businesses are going to have that information somewhere in their systems. This would be considered low, or even no risk. You’re not going to get in much trouble if someone’s name was breached in association with your business, well, of course it depends what type of business your in! But..in general, low risk.
The Real Risk
Now, what about social security numbers? Or, maybe medical records? How about Credit Card or bank info? As you can imagine, this would be an increase in risk. In fact, depending on the Personal Information, there would be a general dollar amount associated. Then, to figure out your risk, you would add up all the instances of Personal Information on your network, and that total would be your risk. That total generally takes into account the cost to completely recover from an incident of that nature. I say generally because, part of handling an incident like that means you have to notify the press, which can often mean the end of your business, which…there’s no way to calculate that cost.
I know the discussion of risk sounds bad…and it is, but it’s not all bad. Not if you are prepared. The whole reason why we’re talking about this, right? Riiight!
How to Start
The first step is to identify what information you have in your systems. How do you do that? Well, you could go through every file on every device on your network… Sorry, didn’t mean to give you a heart attack! There’s actually tools for that. Tools that will scan your network and find any PII, and let you know what type of information it is.
Next, you need to figure out what’s necessary to have, and remove what’s not. We often find the real problem is an out of date process or employees that are taking shortcuts. They intend to keep the data temporarily, that never gets deleted.
If that data is necessary, that information is often better kept in a line of business application. This is usually one of your main systems provided by a vendor that is designed to keep that info, like a CRM or management system. Usually these systems have secure ways of holding that information.
Third option is some way to securely store it on your network with some sort of encryption. There’s always options, but without knowing, you may be just waiting for a breach incident. Don’t let something like this keep you up at night. Call in a pro, get your network scanned. Your clients are depending on you! Bye for now.