Cyber security: it’s not if, but when
In 2003 The Security Rule was enacted by the Department of Health and Human Services. Standards for the security of electronically protected health information were set. Six years later Massachusetts filed regulations to protect personal information of residents of the Commonwealth. In 2015, the Federal Trade Commission sued Wyndham Worldwide Corporation for their lack of data security, which led to millions of fraudulent dollars charged on consumers’ cards, and hundreds of thousands of dollars, along with account information was sent to a registered website in Russia. This year alone, Target, Sonic, and Equifax all had security breaches, compromising millions of consumers’ private information.
Breaches, incidents, and events
An event is defined as “any observable occurrence in a system or network,” according to the National Institute of Standards and Technology (“NIST”).
An incident is “an event that violates an organization’s security or privacy policies involving sensitive information such as social security numbers or confidential medical information,” and those can be as small as a lost thumb drive up to what are known as “sophisticated data attacks.”
A data breach is “a security or privacy incident that meets specific legal definitions as per state and federal breach laws.”
What does it all mean?
Events happen all the time. On any day, at any time, you can guarantee that someone is looking at your network. But as an organization, it is your job to take reasonable precautions against incidents and breaches. According to a Small Business Trends survey, 48% of security breaches were originated from a negligent employee or contractor. Web-based and phishing attacks are most common.
Maybe you’re like other small business and don’t think to allocate a budget to risk management. Any data can be valuable data, thus, worth spending money on protecting. Does your company store any personal information?
- Social security numbers
- Health records
- Phone numbers
- Billing addresses
- Credit card information
If you store any of the above information, or more, it is time to start thinking ahead. Below is a non-exhaustive list of steps to protect your information. Begin with a cybersecurity program that will keep growing as you see fit; there is not a one-list-fits-all for businesses. Adapt it to your particular business, products, and services you offer to your customers.
Inventory: Identify all confidential data in your network. What is the risk that non-authorized people can gain access, and figure out what the location is, such as network, cloud, portable media, etc.?
Restrict access: Who absolutely needs access to it? Not everyone needs access to everything. Begin doing some internal security audits, and remove all unnecessary granted access to the confidential information. Create security groups to control all access to the information; then grant access to the groups instead of individuals.
Passwords: Add an extra layer of protection by adding passwords and encryption to storage devices, like CDs, USB drives, laptops, etc.
Train your users: Nothing is more destructive that negligence on the staff side. All individuals must be aware of the risks performing certain tasks like opening attachments or clicking on links from unknown senders. Test your users as well, when possible, and reiterate how dangerous it is to ignore red flags on emails, websites, etc. It could damage their equipment and even more, the entire network.
Patch your devices: All computers must be up-to-date, always, but not just computers…servers, switches, firewalls, and everything that connects to your network should be up-to-date as well. Updates also apply to virus protection programs installed on your network. Any extra layers of protection would be great; consider for example, anti-spam, website analyzer, DLP (data lost prevention), and intrusion detection.
Test your protection: It is always a good idea to hire external consultants to test your protection and see if they can access your information. The most popular test is called a “Pen Test,” short for penetration testing. They determine security vulnterabilities that a potential attacker could exploit. But there are other tests that can be found out in the market like social tests, which discover vulnerabilities in the human network, such as people clicking on unknown links.
Note: In order for an investigation to occur, an incident does not need to precede it. A whistleblower could lead to an investigation.
So what happens next?
If you aren’t already taking precautions, it’s time to start. The government has a few resources that are free to use:
Cyber Resilience Review—a no-cost, voluntary assessment to evaluate an organization’s operational resilience and cyber security practices.
Critical Infrastructure Cyber Community Voluntary Program—a program that connects organizations with existing cyber risk management capabilities provided by the Department of Homeland Security (“DHS”), other government organizations, and the private sector.
Education is key. There are a lot of cybersecurity-related exercises and trainings available. You can visit the DHS website for more information.
Make sure you have a response plan. It would be a good idea to set up a meeting with the CEO, CIO, HR Director, and other key players. Have a few table top exercises because what your CEO thinks is a good plan and what your HR Director sees as a good plan may not always align. Everyone needs to be on the same page. Create a policy, one that isn’t too short or too complicated that no one will want to read through it. And always, track and record everything. Make it a point to have on file that you are having these discussions and making these plans. You’ll be glad you did. Lastly, if you’re still in doubt, our consulting professionals can look over your policies and procedures to make sure they’re sound. Let us know how we can help.