This blog is part of our Tribridge Cloud Playbook series, which is designed to help IT professionals proactively address common business disruptors. Click here to see the rest of the blogs in the series or here to download the entire Cloud Playbook.
High-profile data breaches are casting shadows over more and more companies and industries. With big names such as Target, Anthem and JP Morgan Chase all suffering spectacular breaches in the last few years, it can seem as though no company's data is safe. Perhaps worse, these large breaches tend to affect entire industries at once. Target’s breach, for example, cast suspicion across all retailers, not just Target.
As a result, even companies that have yet to experience a data breach often find themselves under pressure when another company in their industry is implicated. This pressure can come from the media, but it's equally likely to come from senior management – in the wake of a crisis, they will be eager to prove that their company's system does not suffer from the same flaws as their competitor's. In this way, a security breach at a competitor can quickly translate into an audit of your internal IT infrastructure.
The odds are good that your company will find itself in this scenario over the next couple of months or years. An estimated 71% of companies experienced at least one successful cyber-attack in 2014. And, as more and more critical customer data is stored digitally, this type of crime will only become more lucrative and, therefore, attractive. And certain industries, such as healthcare, are particularly at risk as digital transformations occurs more rapidly and security expertise struggles to keep pace.
To prepare for this, companies must start working on their security response plans now, including compliance related to their industries. And increasingly this is an inflection point that prompts many businesses to look to the cloud. While not just any cloud provider applies the necessary rigor to meet the compliance requirements of certain industries, such as healthcare, financial services or government, many do. Ask for documentation. To those businesses affected by them, compliance with certifications such as SOC, PCI, HIPPA and SOX is onerous and potentially costly. But it needn't be.
Cloud providers can and should cover all bases related to compliance. In fact, many businesses learn about compliance requirements from their cloud provider, and that's a good thing. This helps mitigate risk comprehensively – experts with deep knowledge of your industry will leave no stone unturned. And this starts with rigorous planning that goes beyond just securing your perimeter and checking the boxes for compliance. At the very least, your plan should also include how you'll respond to the following:
- A data breach at a related company in your industry
- Pressure from senior management to demonstrate that your existing infrastructure is secure
- Requests from clients/customers to ensure that their data is still safe
- An audit from an industry regulator
Your plan should also include detailed information on all of your on-premise and cloud infrastructure assets, the responsibilities of each and how they interact. Most important, it should outline any infrastructure changes that may occur as a result of increased scrutiny - migrating infrastructure to a managed cloud, for example.
Planning your responses well in advance of an event should be considered a critical part of damage reduction. In fact, working through a cloud provider you'll actually have damage prevention too. After all, a poor response to a data breach can often do as much (or more) damage to a company than the breach itself.
For more solutions to potential pitfalls that lead to sub-optimal IT infrastructure decisions, check out the Tribridge Cloud Playbook.