5/10/24, 10:56 AM Preventing a Data Breach | NSF

Knowledge Library

Preventing a Data Breach

Is your company data adequately protected? Is your Incident Response Plan up to
scratch? NSF’s Information Security experts, together with the Principal of Cybersecurity
at Plante Moran, share the most common causes of data breaches and some steps you
can take to help protect your company’s data.

What steps have you implemented to prevent a

data breach?
By Joseph Pelukas – Senior Director of Information Technology at NSF, Jenny Trotta –
Principal of Cybersecurity at Plante Moran & Haley Glass - Digital Account Executive
at NSF
Is your company data adequately protected? Is your Incident Response Plan up to scratch?
If you are struggling to answer these questions, read on to discover the most common
causes of data breaches, and some steps you can take to help protect your company’s
data, including the importance of regularly reviewing and testing your Incident Response
Plan.

Exposing the ‘B’ word – what is a data breach? Privacy - Terms

https://www.nsf.org/knowledge-library/preventing-data-breach 1/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

The formal definition of a data breach is any incident where your organization’s sensitive or
protected information is accessed, disclosed, or obtained by an unauthorized person.
The word ‘breach’ is often overused though, and should not be used casually. In the world
of cybersecurity we generally use the terms ‘events’ and ‘incidents’ until an official breach is
confirmed. Usually it’s a company’s legal team who determines if a data breach has
occurred, since where the company’s data is located wil have a bearing on which laws and
regulations are in force.

Phishing remains the most common cause of data

breaches
Despite the vast amount of information available on phishing, it’s stil the most common
cause of data breaches.1
Phishing attacks are becoming increasingly sophisticated. There are now far less spelling
errors than we saw in phishing emails in the past, and with advancements in Artificial
Intelligence (AI), emails look ever-more convincing. So, vigilance remains key, and we always
advise clients to scrutinize the content of emails and the actions they’re being asked to
take.
In addition to phishing, we’re also seeing a large number of ransomware attacks where
devices are encrypted by hackers, who demand money in return for access to their
systems. But of course hackers are not only seeking a ransom payment, they’re targeting
the financial information of individuals whose identity they can steal in order to obtain credit
cards and even take out mortgages.
Other types of data increasingly being targeted may surprise you. In recent times we’ve seen
HIPAA data targeted as fraudsters look to obtain prescriptions, or even more expensive
medical services, such as cosmetic surgeries.
The consequences of cyber-attacks are huge, not only financial y but in terms of
reputational damage too.

Between March 2022 and March 2023 the average total cost of a data breach for a
U.S.-based organization was an eye-watering $9.5M.2
Steps to help prevent a data breach
With the stakes so high, what can organizations do to help protect their data?
There is a huge amount of information available online, including via AI applications,
documenting various steps an organization can take to help safeguard their data. The key is
https://www.nsf.org/knowledge-library/preventing-data-breach 2/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

operationalizing these steps!

There is no magic formula to prevent a data breach, but there are a lot of overlapping
controls that can be put in place to help.
Here are our experts’ top tips for helping you protect your company’s data and assets.
Create an asset inventory – you need to know what systems, software, and data you
have in order to protect them.
Conduct a risk assessment – utilizing the asset inventory, identify potential threats
and vulnerabilities for each asset. Assess the impact of each identified threat and the
likelihood. This can help with prioritizing risk mitigation efforts.
Conduct internal phishing campaigns – knowing that phishing is the biggest cause of
cyber-attacks and that it relies on internal staff members being compromised, it’s critical
that all organizations regularly train and test their team on spotting and reporting
phishing emails.
Keep systems patched and up to date – this may sound simple, and it may not always
be straightforward to execute without potential disruption to your systems, but it’s so
important to make sure your systems are patched and up to date. Segment any system
that can’t be updated and prioritize patch requests based on which systems hold the
most critical data, or are the most vulnerable.
Secure your websites – users should always check for the padlock icon in the corner
of their screen. Sites should use https, and if you’re transmitting any data you need to
make sure it’s done in a secure manner.
Remember the internal risk - nobody likes to think about internal attacks, but they do
happen. History tells us that rogue employees can pose a huge risk.
Encrypt laptops – although most corporate policies require files to be saved in
designated server locations, the reality is that many employees stil save documents to
their desktop. It only takes a colleague to be travelling and lose their laptop, and
anything saved on their desktop is vulnerable.
Segment and secure your network - ensure you have your network and your
infrastructure properly secured and segmented.
Adopt a ‘zero trust’ approach – this means ensuring that you’re only allowing
authorized people access to your network, and only enabling access to systems and
servers they require for their specific role.
Remember physical security – physical security and information security go hand in
hand. Don’t forget to secure your physical assets, such as your premises, too.
Check your cyber insurance coverage - make sure it meets your organization’s needs
and wil cover you in the event of a data breach.

https://www.nsf.org/knowledge-library/preventing-data-breach 3/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

Test your Incident Response Plan – this is critical preparation for your teams and
should be tested on a regular basis.

Review your incident response plan annually

If you don’t have an Incident Response Plan or it’s been a while since you looked at it, now
would be a good time to develop one or revisit your existing one. We advise clients to
review their Incident Response Plan at least once annually. But having a plan is not enough.
You need to test it with all responsible personnel, via either a tabletop exercise or a real-life
simulation of an incident.
Can you confidently answer ‘yes’ to these questions?
Do you have a nominated incident response team?
Do they know what to do in the event of an incident?
Are they familiar with the team’s roles and responsibilities and communication protocols?
Do they know what procedures to follow if there is an incident or a breach?
Since time is of the essence in a real-life incident, and there may be regulatory procedures
to follow, it’s crucial your teams know the role they play.
And of course after each test, its best practice to evaluate lessons learned so you can
focus on areas of improvement and update your Incident Response Plan accordingly.

What if you rely on a third party to protect your

data and systems?
If you work with a third party provider, you may be wondering how you can ensure your
data is adequately secured.
You can ask your provider to demonstrate compliance to relevant standards or protocols,
possibly via certification. Another option is to ask for a Service Organization Controls (SOC)
report, which covers the security and availability of data. Review the reports to make sure
your provider is covering the scope of services you have contracted them to provide. If they
don’t have a SOC report, consider visiting the provider in person to ensure they’re meeting
service level agreements and securing your data adequately. You can also issue them with a
detailed security questionnaire. In this case, don’t forget to ask them about their teams’
access to your systems and data. Who has access and what do they specifically have
access to?

Key takeaways
https://www.nsf.org/knowledge-library/preventing-data-breach 4/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

If you rely on a third party to protect your data, ask to see evidence of compliance with
relevant standards or protocols, request a SOC report, issue them with a detailed
security questionnaire, or visit them in person.
Our experts have summarized their top three tips to help protect your organization’s
information security:
Be prepared
Conduct an inventory of data, systems and software
Train your teams and test your Incident Response Plan.
Remember, between March 2022 and March 2023 the average total cost of a data breach
for a U.S.-based organization was $9.5M.2
So, what steps have you implemented to prevent a data breach? Whatever your
organization’s cybersecurity posture, NSF is here to help.

About NSF CyberSecure

NSF CyberSecure, the policy builder, makes information security accessible. The platform
provides the first step in your company’s information security journey, building a strong
foundation based on the key elements of information security.
By implementing policies tailored to your organization, your teams have a solid foundation to
work from when managing and mitigating the risk of data breaches. NSF CyberSecure also
offers complimentary training to help equip your employees with some of the fundamentals
covered in this article.
NSF CyberSecure Offers:
An intuitive platform that provides real time feedback on your existing policies using
Artificial Intelligence (AI) technology
A policy builder function, which helps generate policies on demand
A repository for information security policies with robust version control
A cost-effective annual subscription, with the option of a free trial
Start your free NSF CyberSecure trial

https://www.nsf.org/knowledge-library/preventing-data-breach 5/8
 NSF CyberSecure
5/10/24, 10:56 AM Preventing a Data Breach | NSF

Take your first steps on your Information Security journey with NSF CyberSecure, the
policy builder.

Learn more

Please note that any suggestions made in this article do not constitute consulting and following any of
these suggestions is not linked in any way to the granting of certification.

Sources
1www.verizon.com/business/resources/reports/dbir/
2 www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/p>

How NSF Can Help You

Get in touch to find out how we can help you and your business thrive.
Contact Us

What’s New with NSF

https://www.nsf.org/knowledge-library/preventing-data-breach 6/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

Michigan’s “Filter First” Law: A Guide for Schools and Childcare Centers
April 23, 2024
To ensure quality, Michigan's K-12 schools and childcare centers must guarantee the installation of
certified drinking water filters.
Read the Story

Healthy People Living on a Healthy Planet: The Future We’re Working For
April 4, 2024
On April 7, NSF honors World Health Day as a celebration that lies at the heart of our public health
mission and honors our status as a World Health Organization Collaborating Centre.
Read the Story

American Meat and Egg Distributors Now California-Ready with NSF’s Prop 12 Certification
April 3, 2024
A trusted name in the industry, NSF’s services will enable distributors in meeting regulatory
requirements and consumer demands for quality meat and eggs.
Read the Story

2024 GFSI Conference - Meeting the Needs of our Evolving World

March 20, 2024
NSF is proud to announce our sponsorship of the GFSI Conference, an annual event dedicated to
advancing food safety and consumer trust.
Read the Story

https://www.nsf.org/knowledge-library/preventing-data-breach 7/8
5/10/24, 10:56 AM Preventing a Data Breach | NSF

Use of NSF consulting services or attending NSF training sessions does not provide an advantage, nor is it linked in any
way to the granting of certification.

Search Certified Products and Systems

Sectors Services Resources

Food and Beverage Auditing Careers
Water Systems Certification Contact Us
Life Sciences Consulting News
Nutrition and Personal Care Training Public Notices
Transportation Labs and Testing Client Login
Information Security
Digital Solutions
Sustainability
Electrical Safety
Search Certified Products and Systems
Purchase NSF Standards
Connect with NSF

Privacy and Copyright Code of Ethics AODA Accessibility Plan NSF ATS Data Privacy Statement
Modern Slavery Act Transparency Statement
© 2024 NSF. All rights reserved.

https://www.nsf.org/knowledge-library/preventing-data-breach 8/8