Data breaches, 10 measures for the privacy aware CISO

Data breaches, 10 measures for the privacy aware CISO

Dutch organisations are since January 2016 required to report data breaches to the Autoriteit Persoonsgegevens (the Dutch data protection authority), and, if relevant, to the data subjects affected. Data breaches are defined as events where access to data has been obtained falsely, or where data is published, adjusted or deleted without approval of the organisation. Data breaches have increased in numbers year by year, and can occur through technical reasons, or by taking advantage of the trust of people by showing knowledge of functions, culture and jargon.

1000

Contact

Consultant

KPMG in the Netherlands

Contact

Related content

In November 2016, Europol had a large data breach, where over 700 pages on terrorism investigations of Europol were discovered by Dutch television show Zembla. The data was brought home by an employee without permission, and copied to an unprotected personal hard drive connected to the internet. Measures had been taken by Europol to prevent a data breach. Was this enough? In this blog 10 measures every privacy aware CISO should take are presented.

  1. Improve end-user security and privacy awareness
    Creating a security and privacy minded culture and providing hands-on training will not only decrease the amount of incidents where your employees accidently leak data but also allow them to recognise and respond to social engineering attacks such phishing or fraudulous phonecalls and make them aware to handle sensitive document with care. For example when they are making photocopies of passports for HR or send sensitive documents over email unencrypted.
  2. Identify sensitive data
    An organisation and their employees need to know which data that they have in their possession is to be considered a crown jewel. Content-aware Data Loss Prevention (DLP) tools can aid you identifying sensitive data, classifying it, and perform appropriate remediation/enforcement based on content classification.
  3. Detect suspicious employee behaviour
    Automatic detection of suspicious employee behaviour on systems with sensitive data and implementing DLP solutions may allow you to foresee possible data leaks. These tools are able to recognise several typical insider attacker behaviours, such as employees downloading data from a company server to their workstation and email it out or copy it to a portable media device.
  4. Encrypt sensitive data
    Stolen laptops and lost USB drives represent a high percentage of the data leakage incidents. Encrypting private, confidential or sensitive information (including data at rest and in transit), along with strong password policies and the ability to remotely wipe lost devices prevents outsiders accessing it.
  5. Monitor data access and network traffic
    By monitoring access to sensitive data and the transport of this data on the network you may be able to detect a data leak in an early stage. For example you can monitor in- and outbound traffic for spam and malware. In addition, network-based DLP products can monitor protocols and services, including instant messaging, social networking sites, peer-to-peer file sharing and FTP traffic. Data Activity Monitoring (DAM) solutions can monitor database activity, alerting you when access failures occur on a server storing sensitive information.
  6. Filter and limit internet and web traffic
    Someone who wants to steal sensitive information may use a personal web mail account or upload information to a Web-based file-sharing site. We recommend to limit employee access to risk websites such as file sharing sites (WeTransfer, Dropbox ) or personal email boxes.
  7. Secure end user devices
    Over 90% of the attacks take place (intentionally or unintentionally) via an end user workstation. As such securing end point systems is essential to prevent data leaks. Think of encryption, remote wiping and endpoint backup, limit (administrative) rights for users, implement application whitelisting and make sure operating system and third party applications, browser plugins and Java are patched regularly.
  8. Avoid Shadow-IT
    Your departments may be using cloud based solutions that your IT department is not aware of (a.k.a. “Shadow IT” ). These services pose serious risk for data breaches as there is no control over shared information. Perform an internet presence scan regularly basis to identify online solutions that are used without your knowledge.
  9. Implement breach response process
    Having a response plan will help in triggering quick response to data breaches and reduce harm. The plan should contain steps involving notification of the concerned staff or the agency who assists in containing the breach.
  10. Implement and test physical security measures
    The risk of physical breaches are often overlooked. You should not only actively monitor sensitive locations and limit employees' access to them to reduce opportunities but also use social engineering assessments to assess the effectivity of those measures.

With the measures above you have taken important steps to limit the risk of a data breach within your organisation. In our next blog we describe which steps you can take in case you are confronted with a data breach anyhow.

Cyber blogs

Cyber blogs

An overview of the cyber blogs.

Connect with us

 

Request for proposal

 

Submit

KPMG's new digital platform

KPMG International has created a state of the art digital platform that enhances your experience, optimized to discover new and related content.