Do your due diligence to prevent breaches – no matter your industry

Breaches, who cares? I am not a bank, merchant or healthcare company, so I’m safe, right? Wrong. Technically, any company with employees is at risk. Even if your company doesn’t process cardholder data, ePHI or NPI. Why you ask? Because a data breach is a serious problem that affects just about any corporation, regardless of the nature of its business. Look at Major League Baseball and the Houston Astros, for example, who were recently breached by another baseball team to gain statistics, video and other vital information about players from their operations database.

The bottom line is that corporations receive payment and benefits and employers generally must collect PII, which is any data that could potentially identify a specific individual. This creates an obligation for the corporation to protect the anonymity of its employees and respond to any breach of that information. Potential data breach class action adversaries are not just external to the corporation. The claims can also come from inside. If you think I am kidding, look up Corona versus Sony Pictures Entertainment. The judge handed Sony employees a significant victory after an identity was stolen and a victim was threatened with physical harm.

As a CEO of an organization who is not a bank or merchant, Major League Baseball team or a healthcare organization and decides, “No, not me. Nobody cares about me or my corporation’s data.” You might want to think again about due diligence. Organizations need to identify, monitor, measure and manage risk. The Under Armour motto says, “Protect This House” and I couldn’t agree more.

Here are a few tips on how to perform due diligence

  1. Conduct a Risk Analysis: know what level of risk and maturity your organization is operating at
  2. Classify your data: discover where critical data is located, utilize an appropriate discovery tool
  3. Encryption: encrypt your data at rest and in motion
  4. Segment your network: network segmentation reduces the attack surface of the zone in which sensitive data such as ePHI, NPI and PII resides, thereby allowing organizations to deploy the appropriate tool sets and telemetry more efficiently to defend the sensitive data