With recent news coming out about Twitter having irresponsible data practices it becomes important to talk about controlling access to your most critical files, and protecting your critical data. The reason this is important is simple for a few reasons, but I will lay out the two big ones accordingly.
Data Theft is Costly
If you're any kind of business that has any kind of data protection requirements, this is an area you're already familiar with. But the point is that you are required to make a best effort to protect individual's personally identifiable information (PII), or any of their health information (PHI). Failure to do say can result in fines that are determined by tiers. These fines can be anywhere from $100 dollars per violation to $50,000 dollars per violation, and the discretion is left to the governing agencies to determine which tier you fall into. The only thing that prevents the maximum violation cost is knowing about security threats (not ignoring them) and taking action against them. Knowing about threats and not taking action is considered Willful Neglect, and can be extremely costly when it comes to fines and prosecution for failure to maintain proper security processes. As a result, taking care of who has your data in order to prevent prosecution can be extremely important.
Your Cyber Insurance Probably won't Cover it
As the industry has changed over the past several years, insurers have come forward and provided coverage for the many cybersecurity threats that have been popping up across the industry. But as the marketplace has developed, the insurers have created a number of rules on how to exclude various attacks, which means the responsibility will fall solely on the company. Many executives consider Cyberinsurance to be a catch all to cover potential failures, this is far from true. Here's several areas where a claim can be denied:
- Failure to Maintain / Failure to Follow - This means an organization has failed to meet minimum security processes as illuminated in the policy. This can include (and often does) requirements such as 24/7/365 security coverage, or providing a required response window to known security threats. Failure to doing any of those can guarantee your claim will be denied.
- Internal Threats / Social Engineering - If your employees fall for a security threat that comes across from a cybersecurity failure, but they willingly move forward to transfer money to an unverified source, or are fooled to pay fake invoices - this is not a cybersecurity problem. According to insurers, this falls under fraud, and the insurance is not guaranteed to cover it.
So, again, Who has access to your data?
As I said at the beginning of the blog, Twitter is currently dealing with a problem of too many people with improper access - access to files and information that they should not have access to, and that increases the chance of insider threats. Insider threats are when someone within the organization decides that they should take the valuable data your company has, and monetize it by selling it, stealing it, or damaging it.
And nowadays, more and more people are given access to data they should never be provided. How many people in your office have direct access to customer data? How many people have access to personally identifiable information of your customers? How many people have internal access to customer systems, servers, or business?
What happens if one of those employees decides to break the law, and you don't catch it? Whose responsibility is it?
It's your responsibility.
You can pay for the best cyber insurance policy in the world, but if your employees cause a breach through their actions, many insurers will not guarantee payment of the damages caused. Fines, ransom, any of the failures of your cyber security infrastructure that are caused by an insider threat can be excluded from those policies.
As a result, it comes down to the question, again. Who has access to your data? And should they.