Wyoming employers of all sizes, whether they know it are not, are locked in an ever-escalating arms race to keep their data safe and secure. Despite rising awareness of the risks of poor data security and poor preparedness for responding to data breaches, the number and average cost of a data breach continues to rise. According to a 2016 Ponemon Institute study, the average cost of a data breach was $158 per record. That same study estimated the average total cost of a data breach in 2016 to be $7.01 million—up significantly from 2015’s cost of $5.85 million.
And although the reporting on security incidents often focuses on breaches of customers’ credit card or other sensitive information, employers maintain a significant trove of even more sensitive data: employees’ social security numbers, banking account information, addresses, and dates of birth. Although a credit card can be easily canceled, it is difficult to change a social security number and impossible to change a date of birth.
The good news is that employers who pay attention to their information-security risks can reduce both the likelihood of a data breach and the costs of a breach should a breach occur. Many employers have begun to administer regular cybersecurity awareness training for their employees, which is a great first step. But, if you are an employer, consider taking these five additional steps:
1. Empower your workforce to address cyber risk mitigation and preparedness in their areas of responsibility.
The employees who interact with an employer’s valuable data are often in the best position to report lax access controls, identify places where sensitive personal information is stored without adequate encryption, and discover vulnerabilities in their line-of-business software. Encourage employees to take responsibility for identifying these shortcomings, resolving issues within their ability, and consulting appropriate technology experts for those issues that are beyond their ability. And, identify and educate key employees to take up information-security leadership roles in each area of responsibility.
2. Consider the risks associated with data breaches and service unavailability when contracting, especially with information service and benefit providers.
Increasingly, employers are using cloud-based information services. These can be a great way for your organization to extend its capabilities, but you should review your contracts with these service providers to ensure that they are taking responsibility for data breaches that result from their own negligence or wrongdoing. Also, insist that any major information service providers perform routine audits and make an appropriate version of their audit reports available for your review. And, insurers now offer coverage for cybersecurity risks; although these risks are generally not covered under traditional liability policies, coverage for these risks can be surprisingly affordable.
3. Work with a law firm or information security service provider to do a risk assessment.
Consider performing an enterprise cybersecurity risk assessment. Many information security service providers are happy to tailor and deliver a risk assessment appropriate for their clients’ businesses. Consider retaining the services of your chosen security professional through a competent cybersecurity law firm so that your lawyers can help you reduce the chance that your assessment could be used against you in court.
4. Create relationships with an information security service provider, a law firm, and other key responders in advance.
No matter what mitigation steps an employer takes, there will always be risk of a breach. Cybersecurity professionals often correctly warn their clients that it is not a matter of “if,” but “when.” When you realize you’ve had a data breach, you’ll need to swiftly identify the scope of the breach, determine if you need to notify customers, employees, and government agencies of the breach, and create a plan to minimize the public and employee relations consequences of the breach. And the deadlines for reporting a breach that affects employees or customers in certain states can be as short as 15 days, which makes advance preparation critical.
5. Address your worst performers.
Employers are often reluctant to manage out their worst performers. But according to the 2016 Ponemon study, about a quarter of data breaches result from employee negligence. And, according to a 2015 Verizon report, about half of all security incidents are traceable to people inside your organization. The worst performers in an organization—those who do the minimum necessary to avoid dismissal—not only cost you productivity, but heighten your risk for data breaches. Manage them up or out.