In a recent article published by Attorney at Law Magazine regarding cybersecurity, the authors do a great job of pointing out five common-sense measures all businesses should be using to secure their data, but is anyone really listening? Data security measures are not something most business people appear to be considering in their daily operational routine, but they should be. It is rare that a day goes by without some sort of hack, leak, theft or loss associated with data, yet business professionals are still not engaging a new mindset called “breach acceptance.” The term is being coined by Gemalto, a leading maker of secure SIM cards and host of the Breach Level Index. It means, simply, the acknowledgment that a breach will happen.
Since best practices require a continuous effort toward security, businesses might be well-served to add five to 10 minutes of security review to the weekly routine or check-list. Even if it does not make it to the top of the list every week, the business will still be doing more than it was previously, and there will likely be a corresponding increase in awareness that could just end up helping to avoid an embarrassing or costly situation. Over a 30-day period, a security-aware business should engage in breach acceptance and start by looking at four simple things:
- Who is “in-charge” of security, and do they know it as part of their job description?
- Who has access to PII (personally identifiable information) or PHI (personal health information)? And if the business handles any sort of PHI, it better be following HIPAA, HITECH and the progeny of security and privacy rules that go with them.
- Who performs regular training, re-training and auditing of security protocols, and are they keeping a record of how the system and culture are being maintained? It is not enough to have a list of procedures that no one ever heard of and no one is actually following.
- Physical Space
- Where is data located and why is it there?
- Is all data stored together, and are there multiple copies of the same data in multiple forms in multiple places? Knowing where data is located and how it is maintained is important if a business want to reduce the risk of its exposure. When data is stored multiple times in many different forms, unless there is a compelling need to do so, a business may be exponentially increasing its risk by its own practices.
- How is data being accessed and when?
- Does the business provide workstations?
- Are there unique passcodes assigned and who has access to them?
- Do those passcodes change, and what happens when an employee leaves the business?
- Does anyone in the workforce utilize their own computer, laptop, tablet or even a smartphone? Many businesses are not even aware the workforce accesses business data on personal devices, so the question should be asked of all employees. IT personnel and software applications should be employed in some fashion, depending upon the data to be secured and the risk of breach. Since most business do not envision a breach until it happens, a data-aware enterprise must consider the possibility to confront the risk.
Fortunately, workers are becoming more aware of threats posed by internet scams, but because scammers and hackers are getting better at what they do, the business and its workforce need to constantly upgrade their efforts to track and maintain data security. A few minutes on security issues each week will likely prove to be an eye-opening experience for most businesses. It is well worth a little time to become security aware, but remember, if a business cannot clearly and honestly answer questions about the four areas of concern listed above, then it remains blissfully in-the-dark. Until breach happens, and based upon the pace of current reports of disclosure (it’s in the billions of records by the way), it will happen.
So, with a few moments of time regularly added to the routine and consideration of the four areas noted above as a starting point, a business can achieve breach acceptance and actually create the necessary culture and environment to become security aware.
Julie-Karel Elkin is an experienced litigator who has worked with some of the nation’s largest insurance companies, independent businesses and personal claims. Focusing in negligence and regulatory claims, torts, contract disputes, mediation and administrative processes, she is uniquely qualified to address all aspects of health data needs. She is the head of Spicer Rudstrom’s Health Data practice in the firm’s Nashville office.