As phishing and other social engineering scams become more commonplace and sophisticated, the human factor often is the weakest brick in the walls of a company’s information security.
Consider this statistic from a recent cybersecurity study: The average employee will click on one out of every 25 malicious messages. A layered strategy that includes firewalls, antivirus software, and encryption is all for naught if an employee clicks on a phishing link that gives a hacker the keys to the vault: unrestricted access to the corporate network.
Most businesses store or access a virtual treasure trove of data about employees, customers, and vendors. These stakeholders expect businesses to guard their personal information as if it were their own, and businesses should strive to instill that sense of personal responsibility throughout the entire organization.
Are Employees Guarding Personally Identifiable Information (PII)?
Accessing, working with, and storing this sensitive information is a great responsibility, and every individual who touches this information must take steps to protect it. The first step is to understand what information the business stores or accesses, from employee email addresses and passwords to social security numbers to healthcare claims data.
This information is alternately known as personally identifiable information (PII), personal private information, or personal private data. Regardless of the term used, the bottom line is that this information is not publicly available, and it can be used to steal an individual’s assets or identity.
What is at Risk?
Trust is the currency upon which businesses run, and breaches that become public can seriously damage a company’s reputation. The growing list of organizations that have fired executives in the wake of data breaches—from Target to Sony Pictures Entertainment to Ashley Madison—shows that the consequences can be dire for those who are deemed responsible for security lapses.
Forrester Research predicted that three out of five brands would discover a breach in 2015. Once a breach has occurred, regaining control of the information can be a daunting task that entails:
• Credit reporting for customers whose information was breached.
• Reporting in compliance with service-level agreements, non-disclosure agreements, and other contracts.
• Regulatory reporting requirements, such as state-level breach disclosure laws.
These reporting requirements can be expensive and time-consuming—on top of the potential loss of current and future business, and the cost of tightening information security controls. While the damage typically is much worse for the individual whose information was exposed, the financial and reputation damage for a business that is breached can be pervasive.
Creating a Cybersecurity Employee Culture of Vigilance
So what can business owners and executives do to instill a culture where everyone acts as a responsible steward of personal private data?
• Establish an appropriate tone at the top. Employees at every level—from the CEO to every part-time employee—must take data security seriously. At every opportunity, the top executive should make it clear that being a good steward of personal data is just as important as being a good steward of someone’s money or other valuables.
• Adopt company-wide policies. Every business should implement and update:
b. A policy detailing how employees can access systems that contain personal private data. This policy should include guidelines for strong passwords.
• Strengthen internal controls. Data security requires constant vigilance. Businesses must monitor and review controls (or lack thereof) that protect personal private data at each “touchpoint”—where people or information systems store or process that data. Then, they should implement a remediation strategy to correct any control deficiencies. Investing time and money to regularly monitor and test controls drives home the point that long-term security trumps short-term convenience.
• Reinforce the human firewall through training. The best technical controls in the world are only as effective as the people who use them. Employees who have access to, transmit, or store personal private data must understand what they must do to protect it and what to do if a breach is suspected. They will need cybersecurity training on common threats, such as email phishing, and on how to prevent a breach through proper use of email and encryption.
• Prepare for the worst. There are two types of companies: Those that have been breached, and those that do not yet know that they have been breached. Training must go beyond how to prevent a breach with technical controls to include what an individual should do when a breach is suspected or discovered. Companies should also put in place a company-wide communication plan that includes contractual and regulatory reporting obligations in the wake of a breach. For example, if sales managers notice suspicious activity suggesting a breach, to whom should they report that activity?
• Be ready to act quickly. A full incident response plan is a must in the preparation department. Quick and appropriate response to a minor data breach might prevent or mitigate the damage from a more serious breach.
Business leaders must take seriously their responsibility to protect the data entrusted to them. Making the necessary investments to create a culture of data security—though it will take money and time up front—can avert a far more costly data breach.
With expertise in data security, privacy regulations, and security best practices, CRI’s cybersecurity team can provide unbiased recommendations for risk mitigation strategies designed to protect your company. Contact us to schedule a consultation, and fortify your data stronghold.