In Florida, a healthcare provider was recently charged with a lawsuit in light of a data breach. The results of their case mandated these specific precautions:
- Security awareness and training programs for all employees
- Training on laptop use and security
- Additional security, including GPS tracking, on all laptops
- New password rules, and full disk encryption on all equipment
- Physical security upgrades at all offices
- Updated written security policies and procedures
But wait! Aren’t these the security measures all organizations with sensitive personal data need to take in the first place? It’s 2014 and security breaches are everywhere. But do you know where your data is?
Where are the big gaps?
With hackers moving at the speed of light, “gaps” can be anywhere.
- Employee data – personal, financial and health
- Customer credit card data that is kept for “convenience”
- Passwords may be weak and vulnerable
- Shared data – perhaps with a consultant, or an outside marketing or IT service firm
- Confidentiality promises in contracts with clients
- Road warriors using public Wi-Fi – with personal devices
- Archived data, often forgotten, in the bowels of your computers
More than 50% of small and mid-sized U.S. businesses have had at least one data breach. Hackers want confidential data they can sell and they know how to get it.
What to do?
Well, let’s start with the six steps listed above:
- Training employees is no. 1: what is personal information, how to recognize phishing emails – even from friends – and how to keep personal and business email separate.
- Security software – and hardware, like firewall devices – must be continually updated.
- Passwords are a classic weak link – insist on new ones every 90 days. (If you have too many, use a password manager program.)
- Lock up all servers, encrypt all data, prevent USB downloads when no one is looking, and explain to employees why these steps are needed.
- Update Data retention/destruction policies and get rid of obsolete, potentially dangerous, data and files.
Call me (510-685-3883) or email (firstname.lastname@example.org) if you need clarifying, no-obligation discussion about how to get this done. RiskSmart Solutions can help if you need assistance.