In November 2016, Europol had a large data breach, where over 700 pages on terrorism investigations of Europol were discovered by Dutch television show Zembla. The data was brought home by an employee without permission, and copied to an unprotected personal hard drive connected to the internet. Measures had been taken by Europol to prevent a data breach. Was this enough? In this blog 10 measures every privacy aware CISO should take are presented.

1. Improve end-user security and privacy awareness
   Creating a security and privacy minded culture and providing hands-on training will not only decrease the amount of incidents where your employees accidently leak data but also allow them to recognise and respond to social engineering attacks such phishing or fraudulous phonecalls and make them aware to handle sensitive document with care. For example when they are making photocopies of passports for HR or send sensitive documents over email unencrypted.
2. Identify sensitive data
   An organisation and their employees need to know which data that they have in their possession is to be considered a crown jewel. Content-aware Data Loss Prevention (DLP) tools can aid you identifying sensitive data, classifying it, and perform appropriate remediation/enforcement based on content classification.
3. Detect suspicious employee behaviour
   Automatic detection of suspicious employee behaviour on systems with sensitive data and implementing DLP solutions may allow you to foresee possible data leaks. These tools are able to recognise several typical insider attacker behaviours, such as employees downloading data from a company server to their workstation and email it out or copy it to a portable media device.
4. Encrypt sensitive data
   Stolen laptops and lost USB drives represent a high percentage of the data leakage incidents. Encrypting private, confidential or sensitive information (including data at rest and in transit), along with strong password policies and the ability to remotely wipe lost devices prevents outsiders accessing it.
5. Monitor data access and network traffic
   By monitoring access to sensitive data and the transport of this data on the network you may be able to detect a data leak in an early stage. For example you can monitor in- and outbound traffic for spam and malware. In addition, network-based DLP products can monitor protocols and services, including instant messaging, social networking sites, peer-to-peer file sharing and FTP traffic. Data Activity Monitoring (DAM) solutions can monitor database activity, alerting you when access failures occur on a server storing sensitive information.
6. Filter and limit internet and web traffic
   Someone who wants to steal sensitive information may use a personal web mail account or upload information to a Web-based file-sharing site. We recommend to limit employee access to risk websites such as file sharing sites (WeTransfer, Dropbox ) or personal email boxes.
7. Secure end user devices
   Over 90% of the attacks take place (intentionally or unintentionally) via an end user workstation. As such securing end point systems is essential to prevent data leaks. Think of encryption, remote wiping and endpoint backup, limit (administrative) rights for users, implement application whitelisting and make sure operating system and third party applications, browser plugins and Java are patched regularly.
8. Avoid Shadow-IT
   Your departments may be using cloud based solutions that your IT department is not aware of (a.k.a. “Shadow IT” ). These services pose serious risk for data breaches as there is no control over shared information. Perform an internet presence scan regularly basis to identify online solutions that are used without your knowledge.
9. Implement breach response process
   Having a response plan will help in triggering quick response to data breaches and reduce harm. The plan should contain steps involving notification of the concerned staff or the agency who assists in containing the breach.
10. Implement and test physical security measures
    The risk of physical breaches are often overlooked. You should not only actively monitor sensitive locations and limit employees' access to them to reduce opportunities but also use social engineering assessments to assess the effectivity of those measures.

With the measures above you have taken important steps to limit the risk of a data breach within your organisation. In our next blog we describe which steps you can take in case you are confronted with a data breach anyhow.