Townsend Security Data Privacy Blog

Steps to Take to Reduce Security Risk

Posted by Luke Probasco on May 13, 2013 3:40:00 PM

Townsend Security recently asked founder and CEO Patrick Townsend to contribute his expertise and thought leadership on data security and executive risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Data-Privacy-Ebook In his article, Patrick Townsend discusses:

  • 5 misconceptions business executives have about data security
  • 5 steps to take to reduce security risk
  • And what tools to invest in to protect your company's future

Read an excerpt from his article below:

"Many business executives are aware that hackers and data breaches pose a risk to their organizations, but they aren’t sure how much risk they really bear, or even how to assess the risk from a business point of View. Let’s look at some of the misconceptions executives have, and what steps they can take to minimize the risk.

5 Misconceptions About Data Security Risk:

1) If we have a breach, we’ll just pay the fine
In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2) We’ve never had a problem, so things are probably OK
This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3) My software vendors and consultants say they have everything under control
Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants...

Steps to Take to Reduce Security Risk:

1) Talk About It
Discuss the importance of data security with all members of the organization’s leadership team. Then talk to your IT department. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2) Assess Your Current Data Security Posture
If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts. This process can also help you overcome any internal resistance to addressing the problem.
Invest in Encryption and Key Management

3) When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution, you should also ask: Is our encryption industry standard and NIST certified, is our key management FIPS 140-2 compliant, is our key management device an external hardware security module (HSM), and are we using dual control and separation of duties to reduce points of failure...”

Read all the points in the rest of the article in your free copy of the eBook HERE.

Patrick Townsend has more than 25 years of experience in the data security industry and brings both a deep well of knowledge and a unique perspective to the subject. He speaks regularly on data protection and encryption key management topics.  He has produced a series of educational videos available on YouTube, records podcasts on data privacy, and is a regular contributor to the company's blog.