Follow these steps to identify and protect your business’s assets and detect, respond to, and recover from a cybersecurity incident.
By Bill Fanelli
Picture yourself with a thick wad of $100 bills in your wallet. You probably know how many there are and exactly where your wallet is, right? Can you say the same about your customers’ data?
The Ponemon Institute’s 2017 Cost of Data Breach Study estimates that each lost record in a data breach costs businesses $141. Consider the customer data on your mobile phone. Rounding down, the customer data on your phone is analogous to a wallet stuffed with $100 bills. And whose $100 bills are they really? Each bill represents data about — and owned by — a customer. In our thought experiment, those are your customers’ $100 bills.
Let’s use Better Business Bureau’s 5 Steps to Better Business Cybersecurity, derived from the National Institute of Standards and Technology Cybersecurity Framework, to consider what happens when a phone goes missing. The 5 Steps are identify, protect, detect, respond, and recover.
Identify means know your assets and the impact of potential threats. For a lost mobile phone, the first step is to identify the data at risk. Stealing real $100 bills means physically taking them. Threats to data in email are complicated because there are copies of each email in the cloud, on your laptop, and on your phone. The data is in Schrödinger’s wallet — each $100 bill simultaneously exists in your wallet, your safe, and the bank, and a thief only needs to observe any one of them to steal it.
The next step is Protect. Often, phones default to keeping the most recent 200 messages in your inbox. At potentially $100 in data loss each, that is $20,000 worth of your customers’ data.
If you lose your phone, how safe would that $20,000 be? Since a thief needs to see the email, if your phone was locked, you have no loss. Some data-breach laws assume the data is lost even if your phone is locked — unless it is also encrypted. So you have much better protection if you enable encryption on your phone.
Detection is about knowing that data has gone missing. If you lost your wallet full of your customers’ $100 bills, would you wait until you got to the office the next day and casually mention to your supervisor that you need time to go to the store to replace your wallet? If a device with data goes missing, it needs to be reported to the business as fast as you would report a missing stack of 200 $100 bills.
Response is what you will do right now to keep the business going as smoothly as possible and keep the problem from getting worse.
A well-prepared company acts immediately when a phone is reported missing. To keep you on the job, they can give you a loaner phone. To prevent more emails from getting to your lost phone, change your email password immediately. To prevent a thief from seeing the $20,000 worth of emails, wipe the phone remotely.
Recovery addresses getting back to normal. There are two parts in our experiment — the wallet and the 200 $100 bills in it. Too often, businesses get the wallet replacement process right but forget that the $20,000 represents the trust your customers place in you.
Getting back to normal after a phone is lost typically just means replacing the device, reloading apps, and reconnecting to accounts. The big concerns are: How long will this take? Will the employee need time off? How much can the employee do before the phone is replaced? How to do this if the employee is traveling?
Phone replacement centers on getting company operations back to normal, but it can pale in comparison to regaining the trust of customers whose data was lost. Let’s consider the following two conversations with existing customers after a data breach from a lost phone: The well-prepared organization contacts two customers and explains that the salesperson who was supposed to meet them had emails for two afternoon appointments on his phone when it was stolen over lunch. The phone was reported lost and wiped remotely before anyone attempted to access its contents. Alternatively, the unprepared organization contacts dozens of customers to say a salesperson lost a phone containing details about sales calls from the past month, some planned for the next few weeks, and a few not yet scheduled and that their data was (probably) among them. The well-prepared organization will suffer broken trust with many fewer customers, and the road to recovery will be much shorter — and less embarrassing.
In short, be prepared. Identify where all your email resides and understand how it could be lost or compromised. Protect devices carrying email with passwords and encryption. When you detect a lost or stolen phone, report it immediately. Be ready to respond quickly by changing your password and, even better, wiping the device remotely. To ease full recovery, set your phone to download only the email you need today.
This 5-Step approach applies to more than just email. Identify all the data in your organization, and apply the 5 Steps using similar thought experiments to be well-prepared for your next real security incident.
Download the 5 Steps to Better Business Cybersecurity at bbb.org/cybersecurity.