A data breach is when personal information is collected, retained, accessed, used or disclosed in ways which are not in accordance with the provisions of the enterprise’s policies, applicable privacy laws or regulations.
It doesn’t matter if the data in question has been taken from an improperly protected corporate network or from memos which have been tossed in the recycling bin rather than being shredded. If customer information has been disseminated without customer knowledge and consent, then there has been a data breach and in 40 states, the law requires that the company must notify every current and potential customer, employees and vendor of the incident. What constitutes a violation of good data security practice?
A file cabinet left unlocked in an accessible area which contains customer information, a credit application form left out in the open, an after hours order by fax carrying personal information – all of these are violations, as is a stolen computer or a lost flash drive carrying unencrypted files; you get the idea. There are many other potential areas where a data breach could happen and it is your legal obligation as a business owner both to keep this data secure and to make notifications if a breach should occur.
There are many different ways which data thieves can use to get at your information and the smarter ones among them will attack from more than one angle: the employees, the computers, the network, even the building. Each of these vulnerable areas presents its own challenges
The security systems and procedures in place in your building form the first line of defense against data thieves. Break-ins are a threat you face, as is a quick grab and run operation. Merchandise may be stolen as a cover for the theft of data. Security should be practiced both inside and outside the building, as 70% of data breaches are inside jobs.
The majority of business owners think about locks, access codes, video surveillance, fences and perhaps a night watchman. There are many other security measures which should be implemented to protect from data breaches. The storage, transmission of documents has become very important as has controlling access to them. Which files should be locked and who should be allowed to have the combinations to them, where they should be located and so on are all important concerns.
The transmission of documents by printers, copiers, faxes, email and downloads is another area where a data breach can happen. Secure fax rooms have been established by some companies with only authorized personnel allowed to enter. Faxes can only be printed after entering a security code. Clean desk policies are in place at other companies to ensure that no sensitive documents are left unattended, especially after hours.
Another important area of data security concerns document disposal. A lot of the companies who have recently gotten into trouble over data breaches and fined by the FTC had their data compromised by improper disposal – e.g.; an employee left documents in the recycling bin rather than shredding or burning them as per the National Association for Information Destruction (NAID) guidelines suggest. Most companies need to place individual shredders throughout the office and/or have secured container for documents, which can then be handles by a document destruction company. Having secured bins for documents is the best way of ensuring that they are used by employees. It may be necessary to replace some existing trash or recycling containers with these document disposal bins.
When I am at security briefings, I commonly hear worst case scenarios and data breach horror stories. For instance, stories about employees who have criminal records selling company data, janitors who are actually thieves casing the location and more. These sorts of cases do occur, but a lot of companies do not have the time or resources to do comprehensive background checks on new hires and put intensive security measures in place. Employee training can be one of the most effective, yet easy to implement methods of preventing a data breach.
We already know that 70% of data breaches are from the inside of the company – of these, half are due to negligence or carelessness by employees who have not been trained on security. Thieves can easily trick an untrained employee into handing over personal information; especially new hires who are unaware of company procedures.
There should be regular compulsory training sessions on security for every employee. The cost of lunch for a meeting can prevent incidents causing your company millions of dollars. Security experts can be brought in to explain what to watch out for to your employees. You local police department may also be a good source for information on tactics being used by data thieves.
Remember that computers are rarely stolen for the computers themselves; it is the data that thieves are after. A flash drive can copy all of the important files from a computer and be smuggled out with ease. Instant Messaging (IM), email and wireless networks all pose hazards to your company’s data security.
Encryption of sensitive files, cables to prevent computers from being easily stolen, disabling USB ports on workstations and other computer security practices can help. But your security strategy should be proactive, not reactive in order to best protect your company.
IT managers know these and many other security measures to follow but the threats in the IT field are ever-changing. An outside computer and network security specialist should be brought in to evaluate your security. Afterwards, the company management and IT manager work together to resolve any vulnerabilities found.
Being able to have all of your computers communicate amongst each other, having remote access to certain machines, network print and fax capabilities – all of these have greatly increased workplace productivity while they have at the same time brought many new threats to corporate security. There are backdoors, open ports and other threats which can mean the unauthorized access of the data – your data. When you have a third party analysis of your computer security, this should always include your network. Today’s technology makes it more important than ever that you stay on top of what goes in and out of your network. Your IT department and security personnel should work closely together to ensure the safety of your sensitive data.
Your IT and security departments working together can keep employees from using another’s access code to get onto a network. IT can prevent logons by employees who have already left the building. Video surveillance and computer monitoring can be switched on to find out who is accessing a computer. IT can also limit access to employees to certain times and days.
With the increasing sophistication of networks, special tools are needed to watch for vulnerabilities in these vital systems. The value of bringing in outside security specialists to analyze your security measures cannot be overstated. These professionals can assist your IT staff in finding breaches faster, as well as identifying whose prying eyes are looking at your files.
While I have been speaking of each area of vulnerability separately, security must be an overall effort which aims to secure every part of your business. Each part of your security system should integrate with the others. Data should be shared amongst these components.
There is security which seems to be expensive and without obvious value; however, if a breach occurs through a lack of security, the company could be out far more money later.
Here are a few things to consider before rejecting a security budget.
1. How much have you spent on marketing and advertising to acquire your current customer base? After a breach you will lose 31% of your customers overnight. So is the loss of 31% of your current sales greater than the cost of implementing proper security measures?
2. How much does your company spend in marketing efforts to attract new business? After a breach many prospects will simply stop taking your calls.
3. How much has management spent on branding and launching new products and services to remain competitive in your sector? After a breach, new product releases will have to be put on hold as management focuses on damage control and reestablishing trust with clients.
These and many more direct and indirect costs can be caused by a lapse in security is why the average loss a company suffers after a data breach is $6.3 million dollars.
Finally, remember the five walk away points:
1. Protect documents with locked cabinets and shredders.
2. Have ongoing security training for all employees.
3. Bring in specialists to analyze corporate security.
4. Lock down electronic data with encryption, authentication tokens and IT monitoring
5. Integrate security departments with each other so that information can be shared.
“May your data always be secure, and your identity be your own.”