We’ve discussed the costly impacts of a data loss in Where’s Your Data? and began talking about a Cyber Breach Response plan last month. Additionally, future Tips will provide more detail on how to protect your business from problems, hassles, and lawsuits. Once you have identified a risk, the first risk management step is always prevention.
There are two major areas to focus your attention on if you want to prevent the costs and hassle of a data breach: employees and passwords. Most business owners don’t realize the importance of these very fixable flaws.
A recent IT Managers survey surprisingly reported 78% of data loss came from negligent and careless employees who were not following company policies. Personal devices and cloud storage all had significant and negative impacts.
- Employee policies, training, reminders, and enforcement are where you should start.
- Brainstorm about how mistakes happen, such as, email auto-fills and other recent hacking attempts employees have seen.
- Beware of “free” offers and strange emails from “friends.”
- Discuss personal email received on company computers – this and social media messages are how phishers get into corporate databases.
- Make sure everyone understands how mistakes can be disastrous.
Weak and shared passwords were the second biggest culprit.
- Again, employee policies, reminders, and enforcement are needed.
- Automate that passwords must change every 90 days.
- Mandate “strong” passwords – use available websites to test strengths.
- No sharing! Ever!
Additional protection tactics:
- Regular, automatic software updates.
- Segregated databases with passwords and encryptions for sensitive data.
- Regular virus and malware updates, and complete scans.
- Robust firewalls – both hardware devices and software.
- Highly protected office Wi-Fi, and policies about use in public areas.
- Automatic offsite back-ups – real-time/daily/weekly.
Call Charles for a no obligation discussion about your concerns and questions.
Print This Post
We humans have an ingrained “It won’t happen to me” attitude, as well as a head-in-the-sand reaction to things we don’t – or don’t want to – fully understand. It’s part of our nature.
However, there are millions of cyber-incidents every day in the U.S. – yes, millions per day! And any one of them could happen to you. Hackers stole personal information from 110 million accounts in 2014. And it’s not just focused on large government agencies or mega-corporations. Human/employee error was responsible for 96% of successful data breaches – either responding to phishing emails or the free iPad offers, or just sending out sensitive data to the wrong email addresses. And 25% of data breaches are from paper files.
As you can see, no one is exempt.
The costs can be significant – they include:
- Business downtime, distraction and the cost of ruined hardware and software
- Reputational damage impacting customer trust and continued shopping
- Fines and penalties by the FTC and the Department of Health and Human Services (HHS).
An Idaho hospice was fined $50,000 for the loss of less than 500 patient records by HHS’s Office for Civil Rights. They had no policies or procedures for mobile device security (laptops) that contained HIPPA records.
So businesses must consider a data breach as almost inevitable: it will happen to you!
You need a Response Plan
There are five basic steps to create a simple, practical plan
- Prevention is always the risk manager’s first step – let’s do everything reasonable to prevent a data breach from happening. This means cyber and data security and employee training.
- Recognition of when a breach has been attempted or already occurred is missed by many small and mid-sized organizations.
- Notification must be handled quickly to avoid fines, and accurately to minimize costs. You need immediate access to a specialist privacy attorney and competent forensic computer analysis people.
- Protection for customers, clients and employees is key to avoiding lawsuits and making victims feel cared for.
- Communication must be ongoing after any major incident to close the loop and restore confidence with customers, regulators and employees.
Future RiskSmart Tips will dig deeper into these five steps with more detailed help.
Cost – Benefit
Your Plan doesn’t have to be elaborate, but having these steps mapped out is a proven best practice. There are myriad examples of companies – large and small – who dropped the ball and got themselves in significant financial difficulty.
- You must respond quickly – to all your audiences: employees, clients, regulators.
- In a potentially chaotic situation a planned response is one that works.
- A response plan makes you look organized and professional – not up the proverbial creek without a paddle.
Call or email with questions or for no obligation help getting started.
Print This Post