10 Information Security Best Practices You Can be Thankful For Posted on November 22, 2013 by Tim Burke If you’ve gotten this far through 2013 without an information security breach, count yourself fortunate. According to a recent survey by PwC, CIO magazine, and CSO magazine, security incidents have increased 25% over the last year. The financial costs of these incidents have climbed, too — by 18%. The PwC/CIO/CSO survey points to three culprits: new hacker strategies, the bring-your-own-device (BYOD) trend and cloud computing. And it warns that too many organizations have not changed their security stances, leaving themselves dangerously vulnerable to new kinds of threats. Hackers and BYOD and Cloud — Oh My! Hackers have upped their game(s) of late, using social networks like LinkedIn to gather information on key executives that they then exploit in ways that firewalls and intrusion detection systems can’t detect. More sophisticated threat management and modeling systems can help — but only if you deploy them. Corporate data made vulnerable by BYOD contributes to the already substantial insider threat (sometimes malicious, sometimes innocent mistake) when mobile security strategies and policies are inadequate or nonexistent. And the rush to cloud services — now used by 47% of respondents in the PwC/CIO/CSO survey — often outpaces cloud governance, and this can leave organizations exposed to legal liability should employees’ bad habits on their devices result in theft of trade secrets or confidential data. Something to be Thankful For It all adds up to an enormous behavioral shift not just by the bad guys but also by employees (BYOD) and business units (cloud services) — and your security stance needs to adapt accordingly. The good news is that it’s getting easier to take measures in response to both the current and forthcoming crop of threats — without busting your budget. Here are 10 information security best practices that can make all the difference: Based on internal and external risk assessments, craft — in writing — an organization-wide security policy with which employees and third parties must comply and that you regularly review and update Establish an ongoing data-privacy monitoring process overseeing privacy, security, confidentiality and integrity of electronic and paper records Make sure your business-critical data and apps are backed up (remotely and locally) and recoverable Create a business continuity plan that you regularly test and update Minimize collection and retention of personal information and impose physical access restrictions on records containing personal data Create an accurate inventory of where/how employees’ and customers’ personal data is collected, transmitted and stored (including all third parties) Commit to maintaining strong prevention, detection and encryption technology safeguards Conduct personnel background checks Establish an employee security awareness training program Be thankful that you don’t have to do it alone — a trusted, experienced technology partner can help you conduct risk assessments, develop a cost-effective security policy and implement the programs you need as well as manage service/platform/vendor selection, contract negotiations, support and personnel acquisition.