| A data breach is when personal information is | | | | employees. You local police department may also be a |
| collected, retained, accessed, used or disclosed in | | | | good source for information on tactics being used by |
| ways which are not in accordance with the provisions | | | | data thieves. |
| of the enterprise's policies, applicable privacy laws or | | | | Computer vulnerabilities: |
| regulations. | | | | Remember that computers are rarely stolen for the |
| It doesn't matter if the data in question has been taken | | | | computers themselves; it is the data that thieves are |
| from an improperly protected corporate network or | | | | after. A flash drive can copy all of the important files |
| from memos which have been tossed in the recycling | | | | from a computer and be smuggled out with ease. |
| bin rather than being shredded. If customer information | | | | Instant Messaging (IM), email and wireless networks all |
| has been disseminated without customer knowledge | | | | pose hazards to your company's data security. |
| and consent, then there has been a data breach and in | | | | Encryption of sensitive files, cables to prevent |
| 40 states, the law requires that the company must | | | | computers from being easily stolen, disabling USB ports |
| notify every current and potential customer, | | | | on workstations and other computer security practices |
| employees and vendor of the incident. What | | | | can help. But your security strategy should be |
| constitutes a violation of good data security practice? | | | | proactive, not reactive in order to best protect your |
| A file cabinet left unlocked in an accessible area which | | | | company. |
| contains customer information, a credit application form | | | | IT managers know these and many other security |
| left out in the open, an after hours order by fax | | | | measures to follow but the threats in the IT field are |
| carrying personal information - all of these are | | | | ever-changing. An outside computer and network |
| violations, as is a stolen computer or a lost flash drive | | | | security specialist should be brought in to evaluate your |
| carrying unencrypted files; you get the idea. There are | | | | security. Afterwards, the company management and |
| many other potential areas where a data breach could | | | | IT manager work together to resolve any vulnerabilities |
| happen and it is your legal obligation as a business | | | | found. |
| owner both to keep this data secure and to make | | | | Network vulnerabilities: |
| notifications if a breach should occur. | | | | Being able to have all of your computers communicate |
| There are many different ways which data thieves | | | | amongst each other, having remote access to certain |
| can use to get at your information and the smarter | | | | machines, network print and fax capabilities - all of |
| ones among them will attack from more than one | | | | these have greatly increased workplace productivity |
| angle: the employees, the computers, the network, | | | | while they have at the same time brought many new |
| even the building. Each of these vulnerable areas | | | | threats to corporate security. There are backdoors, |
| presents its own challenges | | | | open ports and other threats which can mean the |
| The Building: | | | | unauthorized access of the data - your data. When |
| The security systems and procedures in place in your | | | | you have a third party analysis of your computer |
| building form the first line of defense against data | | | | security, this should always include your network. |
| thieves. Break-ins are a threat you face, as is a quick | | | | Today's technology makes it more important than |
| grab and run operation. Merchandise may be stolen as | | | | ever that you stay on top of what goes in and out of |
| a cover for the theft of data. Security should be | | | | your network. Your IT department and security |
| practiced both inside and outside the building, as 70% | | | | personnel should work closely together to ensure the |
| of data breaches are inside jobs. | | | | safety of your sensitive data. |
| The majority of business owners think about locks, | | | | Your IT and security departments working together |
| access codes, video surveillance, fences and perhaps | | | | can keep employees from using another's access |
| a night watchman. There are many other security | | | | code to get onto a network. IT can prevent logons by |
| measures which should be implemented to protect | | | | employees who have already left the building. Video |
| from data breaches. The storage, transmission of | | | | surveillance and computer monitoring can be switched |
| documents has become very important as has | | | | on to find out who is accessing a computer. IT can |
| controlling access to them. Which files should be | | | | also limit access to employees to certain times and |
| locked and who should be allowed to have the | | | | days. |
| combinations to them, where they should be located | | | | With the increasing sophistication of networks, special |
| and so on are all important concerns. | | | | tools are needed to watch for vulnerabilities in these |
| The transmission of documents by printers, copiers, | | | | vital systems. The value of bringing in outside security |
| faxes, email and downloads is another area where a | | | | specialists to analyze your security measures cannot |
| data breach can happen. Secure fax rooms have | | | | be overstated. These professionals can assist your IT |
| been established by some companies with only | | | | staff in finding breaches faster, as well as identifying |
| authorized personnel allowed to enter. Faxes can only | | | | whose prying eyes are looking at your files. |
| be printed after entering a security code. Clean desk | | | | Vulnerabilities Conclusion: |
| policies are in place at other companies to ensure that | | | | While I have been speaking of each area of |
| no sensitive documents are left unattended, especially | | | | vulnerability separately, security must be an overall |
| after hours. | | | | effort which aims to secure every part of your |
| Another important area of data security concerns | | | | business. Each part of your security system should |
| document disposal. A lot of the companies who have | | | | integrate with the others. Data should be shared |
| recently gotten into trouble over data breaches and | | | | amongst these components. |
| fined by the FTC had their data compromised by | | | | There is security which seems to be expensive and |
| improper disposal - e.g.; an employee left documents in | | | | without obvious value; however, if a breach occurs |
| the recycling bin rather than shredding or burning them | | | | through a lack of security, the company could be out |
| as per the National Association for Information | | | | far more money later. |
| Destruction (NAID) guidelines suggest. Most companies | | | | Here are a few things to consider before rejecting a |
| need to place individual shredders throughout the office | | | | security budget. |
| and/or have secured container for documents, which | | | | 1. How much have you spent on marketing and |
| can then be handles by a document destruction | | | | advertising to acquire your current customer base? |
| company. Having secured bins for documents is the | | | | After a breach you will lose 31% of your customers |
| best way of ensuring that they are used by | | | | overnight. So is the loss of 31% of your current sales |
| employees. It may be necessary to replace some | | | | greater than the cost of implementing proper security |
| existing trash or recycling containers with these | | | | measures? |
| document disposal bins. | | | | 2. How much does your company spend in marketing |
| Employee vulnerabilities: | | | | efforts to attract new business? After a breach many |
| When I am at security briefings, I commonly hear | | | | prospects will simply stop taking your calls. |
| worst case scenarios and data breach horror stories. | | | | 3. How much has management spent on branding and |
| For instance, stories about employees who have | | | | launching new products and services to remain |
| criminal records selling company data, janitors who are | | | | competitive in your sector? After a breach, new |
| actually thieves casing the location and more. These | | | | product releases will have to be put on hold as |
| sorts of cases do occur, but a lot of companies do not | | | | management focuses on damage control and |
| have the time or resources to do comprehensive | | | | reestablishing trust with clients. |
| background checks on new hires and put intensive | | | | These and many more direct and indirect costs can |
| security measures in place. Employee training can be | | | | be caused by a lapse in security is why the average |
| one of the most effective, yet easy to implement | | | | loss a company suffers after a data breach is $6.3 |
| methods of preventing a data breach. | | | | million dollars. |
| We already know that 70% of data breaches are | | | | Finally, remember the five walk away points: |
| from the inside of the company - of these, half are | | | | 1. Protect documents with locked cabinets and |
| due to negligence or carelessness by employees who | | | | shredders. |
| have not been trained on security. Thieves can easily | | | | 2. Have ongoing security training for all employees. |
| trick an untrained employee into handing over personal | | | | 3. Bring in specialists to analyze corporate security. |
| information; especially new hires who are unaware of | | | | 4. Lock down electronic data with encryption, |
| company procedures. | | | | authentication tokens and IT monitoring |
| There should be regular compulsory training sessions | | | | 5. Integrate security departments with each other so |
| on security for every employee. The cost of lunch for | | | | that information can be shared. |
| a meeting can prevent incidents causing your | | | | "May your data always be secure, and your identity be |
| company millions of dollars. Security experts can be | | | | your own. |
| brought in to explain what to watch out for to your | | | | |