One of the goals of this course is to help your company prevent a data breach by properly training personnel. We describe ways to prevent a data breach and draw attention to the methods that cyber-criminals use to deliver the payloads that expose the companies network. It is this exposure that allows for the exfiltration of data.
A data breach is the intentional or unintentional release of, most often, private and confidential data. During a data breach it is the data behind the information disclosure that enters the hands of an un-trusted source.
A data breach may occur in varying scenarios. For example, the exfiltrated data might have been the target of a malicious actor. That actor may be associated with organized cyber-criminal groups, activists, or nation-states. It may also occur when data storage devices are disposed of improperly.
Data Breach Notification
In the United States it is required to notify government agencies when a data breach takes place. Subsequently, customers and/or employees must also be notified. Notification typically takes place via a written letter but other options are available to companies or organizations that suffer a breach. Some companies have chosen to create television commercials to notify their customers. Accompanying the breach, the company must offer free identity and fraud monitoring services to those who have had their personal and/or financial information exfiltrated. The laws governing data breach notification exist for all states and all territories within the United States of America. A list of data breach notification laws can be found here.
Avoiding a Data Breach
The United States Federal Trade Commission has created a document that acts as a guideline for corporations of any size. These guidelines impart a level of responsibility to the corporation and a means to secure networks and the personal data that companies maintain. A Written Information Security Policy (WISP) will contain all of the practices and procedures necessary to best situate the company to avoid a data breach.
Written Information Security Program (WISP)
In the United States, when reporting a data breach to a government agency, one must provide their Written Information Security Program (WISP) to the requesting agency. This is done so the government agency may ensure that the company had the proper practices, policies, and guidelines, that when followed, would allow them to protect the companies data from a breach. A Written Information Security Program is a requirement of all companies no matter the size. If you are a sole proprietor and operating with you as the sole employee then you are required to have a Written Information Security Program (WISP). A business containing one or more employees of a member or board operated business must have a WISP.
Those who work for a company or an organization are often the cause of the data breach. Varying trusted sources report that an insider accidentally causing a data breach occurs during 14% to 37% of data breaches.