Tag Archives: Data Security

Immediate Vault

8 Steps to Create Strong Disaster Management Plans

Posted on by

A core responsibility of any risk professional is planning for any possible disasters your business might face. These could be man-made, such as a data breach or accidents involving machinery, or natural, like a tornado or flood.

Disasters and crises affect different organizations in different ways—one company might consider something a catastrophe, while another may not even notice a change in its workflow. It is important to look at your own business operations and evaluate what you would consider a crisis. Generally, business crises fall into one of three categories:

  1. A danger to the physical safety of employees or customers
  2. Loss of income or means of making income
  3. Events or people negatively affecting your business reputation

In many cases, the crisis may fall into more than one of these categories. An accident in the workplace that is hazardous to employees can impact the company’s income because the factory has to shut down. This can also negatively affect the company’s reputation if it turns out that the company did not provide a safe working environment.

With even the best risk management programs, no organization can avoid all disasters completely. Risk mitigation often comes down to crafting the best plans possible for the moment disaster inevitably strikes. These eight steps can help risk professionals develop strong crisis and disaster response plans:

1. Define The Types of Crises You Could Face: There is not a one-size-fits-all approach to a crisis management plan. Working out what is likely to affect your business specifically can relate to your geography—areas that get hit by severe storms or earthquakes must include those potential disasters, and what knock-on effects they may cause. For example, storms may cause flooding, loss of power, or blocked roads that make it difficult to reach your premises. The type of crisis can also be specific to your industry. Employees in a manufacturing facility are likely at greater risk in a physical disaster than those working in a tax consultancy, for example. Security should also be a consideration. Is your business likely to get robbed of cash or equipment? Do you have high-profile proprietary information that makes you more likely to be the victims of cybercrime?

2. Triggering the Plan: Including levels of urgency in your plan will help people responding to the crisis pinpoint how significant the event is, and how much of the plan must be put into action. A step-by-step approach for specific scenarios can be helpful and cover dealing with man-made and natural disasters in different ways. The risk for each will be unique to the situation and knowing when and how to trigger a response is key. The plan should include how and when to escalate the response should the crisis worsen, as well as how to identify when the crisis has passed. It can be helpful to use red, yellow and green system to indicate severity and urgency, and this classification approach is easy to adapt to any scenario.

3. The Base of Operations Location: Accidents or natural disasters may cause your usual place of business to close temporarily or permanently. In your plan, designate a backup command center in an alternate location for dealing with the crisis until you can get back to work. This location can be your company’s operations hub, a point for gathering after a crisis, or where you know your sensitive and important data backs up. If a natural disaster has made travel dangerous or roads impossible to navigate, you will also need a virtual base of operations—some possibilities include message boards, chat apps or email. With so many employees working remotely because of COVID-19, this may be easier to implement now.

4. The Chain of Command: Ensuring a clear chain of command so that there is no arguing or confusion when people and the business are at risk. Wherever possible, appoint a back-up for each person in charge so if someone cannot perform their duty, it falls to the next in line.

5. Internal and External Communication: When a crisis compromises an office or business, communication can become tricky. Have a clear set of rules for how you get information to and from your employees, what information you must and must not share with those outside of the company, and how to achieve that. This part of your crisis management plan can save lives and stop rumors from spreading.

6. Necessary Resources: Though this will depend on the nature of the business, consider first aid and safety equipment if you are likely to have injuries or get cut off because of poor weather. Also, think about alternate communication methods if mobile phone towers go down or the electricity gets cut, as well as access to your sensitive data, such as employee contracts and supplier agreements.Include all necessary resources you would need to operate and highlight any alternate replacements. For example, if a storm knocks out your power, you may have a generator.

7. Training: It is no good putting a crisis management plan together and not giving the relevant people the training they need to execute it. For example, the people you name as first aid providers or unit leaders need to know what is expected of them and undergo the necessary training. If you have safety equipment on your premises, like fire extinguishers or emergency release valves for machinery, you need to educate all stakeholders how these work.

8. Testing the Plan: Finally, test that your plan actually works. Review it with staff and conduct safety drills regularly—every two months at least. Look for any weak points or flaws in the plan before an actual crisis.While it may not be possible to anticipate everything a disaster brings, you can set up several response plans and test each one individually. These plans can tie in with your standard safety drills, or stand alone, depending on the nature of the event anticipated.

A crisis management plan is integral to every business, no matter its size, scope, or sector. By preparing for various potential disasters, you can take action when needed without putting your organization, employees, or yourself at unnecessary risk. 

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Posted on by

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.

Americans Mistrust Companies with Personal Data, Study Shows

Posted on by

According to a new survey by the Pew Research Center, most Americans believe that companies are tracking their activities on and offline, and that this activity is unavoidable. Not only that, but many also believe that they have little control over who can access an array of personal details, such as their location and online activity, including purchases they have made online or in person. This mistrust, coupled with the advent of more stringent data privacy regulations, means a more complex risk landscape for businesses operating online.

While companies often market services that collect data as improving the customer experience, those users likely disagree.

buy tenormin online www.northwestmed.net/wp-content/uploads/2023/10/jpg/tenormin.html no prescription pharmacy

In fact, 81% of the American public believe that the risks of companies collecting their data outweigh the benefits. This may have to do with a lack of understanding of what companies do with their data—59% say “they have very little/no understanding about what companies do with the data collected.”

It may also be a perceived lack of control over how companies are collecting and using that data, with 81% saying that “they have very little/no control” over companies collecting their data, and 79% “very/somewhat concerned about how companies use the data collected.” With more online activity, 72% of respondents said that “all, almost all or most of what they do online or while using their cellphone is being tracked by advertisers, technology firms or other companies,” and 64% report seeing ads based on their personal data.

Many companies outline how they use customer data in terms of service or other privacy disclaimers—according to the survey, 81% of respondents say they are asked to agree to a privacy policy at least once a month, and 25% almost daily. However, 74% report that they sometimes or never read a company’s privacy policy before agreeing, and only 22% read the entire text if they do read it.

Pew Data Trust

Security is also a worry, with 70% reporting that they feel like their data is less secure than it was five years ago and only 6% saying it is more secure today than in the past.

buy tretiva online www.northwestmed.net/wp-content/uploads/2023/10/jpg/tretiva.html no prescription pharmacy

Considering the vast array of data breaches, seemingly across all industries, this is likely not surprising.

buy albenza online www.northwestmed.net/wp-content/uploads/2023/10/jpg/albenza.html no prescription pharmacy

Millions of Americans have received notices from their banks, hospitals, or even their hardware store or ride-share app that their personal data has been compromised. According to cybersecurity company Norton, the first half of 2019 saw 3,800 breaches exposing 4.1 billion records, a 54% increase from the first half of 2018.

Given these results, it is no wonder that states, countries, and regions are beginning to enact strict regulations about data privacy. The California Consumer Privacy Act (CCPA), which provides protections for the data of California residents, also exposes businesses that collect, store, use and disclose those residents’ data to serious liabilities. In response to some companies hiding breaches from the public, states are also weighing stronger breach reporting requirements with larger fines for violations. Whether these efforts will diminish user mistrust is unclear—63% said that “they understand very little or nothing at all about the laws and regulations that are currently in place to protect their data privacy.”

Should Companies Ban USBs?

Posted on by

Earlier this month, a Chinese woman was arrested after attempting to enter President Donald Trump’s Mar-a-Lago resort while in possession of a number of suspicious electronic devices, including a USB flash drive. Apparently, the drive contained code that allows malicious software to run immediately after being plugged in, though it is still unclear what kind of malware it was. According to news reports, law enforcement also found nine other USB drives in the woman’s hotel room. If someone was able to connect a USB device to a computer on the resort’s network, attackers might be able to access all sorts of sensitive information and potentially gain control of machines on the network.

Historically, USB use has also aided insider threats, whether in the form of employees inadvertently infecting a corporate device or network with a found USB drive, or purposefully causing an infection or removing sensitive information via USB. In perhaps one the most high-profile of such cases, Edward Snowden reportedly removed NSA documents from a Hawaii facility on a flash drive before fleeing the country and providing those documents to members of the media.

Beyond the headlines, these devices continue to pose everyday risks. People mindlessly plug in flash drives, or carry their business’s most important documents on them that could accidentally be left in a hotel room or at a conference packed with corporate rivals. As companies evaluate their security policies and how to best secure their data, many are moving away from using USB or even banning them outright.

In May 2018, IBM did just that. The company’s global chief information security officer Shamla Naidoo said that IBM “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive),” and that the prohibition would apply to IBM operations worldwide, who will now rely entirely on the company’s cloud-based storage. Naidoo cited the danger of missing storage devices leading to “financial and reputational damage” as the motivation for the prohibition going forward, and acknowledged that the move may be disruptive for some departments and employees.

A 2016 University of Illinois study also showed that the now-proverbial nightmare scenario of an employee inserting a USB they found in a parking lot is actually realistic. After dropping 297 flash drives on a university campus, researchers found that people opened one or more files on 45% of the drives without taking any precautions, and that people moved 98% of the drives from the drop locations. The study’s authors noted that their results suggested that people may have picked up the drives and opened files motivated by altruism (finding the owner) and curiosity. But regardless of intent, simply plugging a flash drive into company computer can unleash any number of viruses, malware, or other cyber maladies on the company’s network.

Of course, doing away with USBs is also not a security panacea. As always, the user is the weakest part of any IT security plan, and even if a business does decide to ban USB storage devices and move their data storage to cloud-based options, employees should still be trained on password protection strategies and other security hygiene best practices. To make employee cyber-awareness training more effective, check out these tips from Risk Management.