Cyber Insurance 101 – Data Loss Protection
While filling out your most recent Cyber Insurance policy, you may have noticed a question about Data Loss Protection policies. The insurance company wants to know that your company has policies in place that prevent Personally Identifiable Information (PII), health information protected by HIPPA, or protected financial information from being stored, destroyed, used, or transmitted in an insecure manner. All business would like to prevent data loss from occurring and most have many systems in place to prevent their data from being lost or leaked including backups, specific permissions to information, firewall protection, and security software installed on machines. These are all part of a Data Loss Protection policy.
Data Loss Prevention policies are starting to be mandated for many types of businesses. Even if they are not mandated, having Data Loss Prevention policies in place can save your company money on the cost of cyber insurance, and a great deal of time and effort if your Data Loss Prevention policy prevents sensitive data from being leaked. Leaks are expensive and require a specific timeframe and set of actions for reporting and response. All companies, regardless of their vertical, must report any data leaks that have personal information and may face fines if they do not.
There are four fundamental areas of a Data Loss Prevention program:
1. Identification
Data that includes PII, financial information, or health care information is most important to protect. Leaks of information of this type can lead to expensive incident response and mandatory reporting. It is important to note that all information does not necessarily need the same level of protection. Identifying the information that needs to be protected allows a company to put the proper policies in place.
2. Data at Rest
Data should be securely stored in an encrypted format with access being limited to only those people that need it. Data should be stored on assets that are controlled by the company. Endpoints that store sensitive data should be protected by an Endpoint Detection and Response solution and should be updated with current security patches.
3. Data in Motion
Data that is being shared, whether by Teams, email, or document sharing is vulnerable to data loss. Encryption plays a key role in this step as do Data Loss Prevention policies and rules that can automatically detect the presence of this information and then alert on, encrypt, or block these pieces of information from being sent or shared.
4. Data in Use
Data is use is any data that is actively being processed by an application or endpoint. Securing data at this stage usually involves authenticating users using multifactor or biometric authentication, limiting access to resources, and controlling the devices that can access the data. Company data should be limited to company owned and controlled devices.
Are you in the New Orleans area? Is your company sure that you are protecting sensitive information at every step? AC3 can collaborate with your company to develop and implement a Data Protection Policy. Talk to an information technology specialist or email us at support@ac3it.com with any questions!