Preventing your data from being stolen.
A very common and significant IT security threat today is the data breach. This is a term used to describe an IT security incident resulting in stolen data. This stolen data may include social security numbers, financial data, intellectual property, personnel records, client agreements, passwords, personal health information and other forms of confidential and valuable data.
You might be surprised to learn that 94% of organizations had an insider data breach in the last 12 months. And did you know that human error is the most common cause?
In this blog, I am going to discuss the best practices for avoiding a data breach and what measures you can implement to avoid.
To begin with, some data breaches are accidental and unintentional, while others are malicious and intentional. Regardless of whether these breaches are caused by accident or purpose, there are solutions and processes you can implement to mitigate these incidents.
Human Error = Accidental Data Breaches
Accidental data breaches are caused primarily by good employees trying to do a good job. For example, an employee may sometimes email sensitive data to their personal account so they can work on a project from home. While there may even be a policy against doing this, the employee will do so out of good intentions and an interest in getting the job done.
The problem is that most employees do not have the same level of cybersecurity protection as they have at their company. The employee may have anti-virus software installed on their home PC, but maybe not real-time endpoint protection which is the standard today. Or, the PC has not been updated recently with latest security patches, resulting in a vulnerability that can be exploited by cybercriminals.
The vast majority of breaches occur when employees do not follow security protocols that may include:
disclosing sensitive data without permission,
failing to secure their personal devices, or
click on a link that contains a phishing attack.
Email the biggest risk, still.
Email is still the riskiest manner for making a mistake and remains the most fertile hunting ground for cybercriminals phishing for valuable data. Cybercriminals are very good at spoofing emails, impersonating key decision makers, and disguising their attempts to dupe key employees in providing key information.
Protecting against this type of data breach requires the company to have a vigilant staff that is aware of these attempts to fool them. Mistakes happen most often when the employee may be in a hurry, is not trained to look at the sender’s email address, or if the company does not have protections in place to avoid. Additional processes and controls must be implemented.
Industry Specific Compliance.
Many industry organizations and governance bodies are very much aware of these potential issues involving theft of data. Most regulatory agencies have revised their compliance protocols requiring organizations to implement specific measures to protect against these cybercrime activities.
Today there are multiple compliance standards that run across several industries, with health care and financial being the most comprehensive. Simply stated, these compliance standards are best practices for protecting data.
Key regulatory standards such as HIPAA are mandatory for medical providers, dental offices, clinics, and other companies working with protected health information (PHI). While PCI compliance is required for any business that processes credit cards, such as restaurants, retail stores and service providers.
The newly revised FTC Safeguards Rule requires security training for financial institutions that process customer financial transactions such as mortgage lenders & brokers, auto dealers, payday lenders, and tax preparation firms.
Even if ‘compliance’ is not required by a government agency, you may find that your industry association may push their members to achieve an ‘accreditation’ by complying with common cybersecurity best practices. These accreditations often lend more credibility to the individual company and their industry as a whole.
Security Awareness &Training
An increasingly more common requirement for compliance and accreditation specifies security training as part of the overall company’s security plan. Security training throughout the organization may also be a requirement for the company to perfect a cyber liability insurance claim.
All of these can be addressed with effective security awareness training. A survey of over 1,000 employees from Osterman Research found that security awareness training is an effective tool to reduce employee risk. Employees that undergo security awareness training were up to 70% less likely to engage in risky behaviors such as clicking suspicious links in an email.
Security Training Vendors
As we noted above, human error is the most common reason for a data breach and theft of confidential data. To counter this dilemma, security training has become a key initiative to guard against these human mistakes.
There are many companies that provide this type of security awareness training. This list by Infosec includes the 10 best security awareness training vendors in 2022. And, according to ‘The Forrester Wave’, by Forrester Research, some of the top security awareness training vendors include KnowBe4, Proofpoint, and Cofense.
It may be difficult to determine which vendor may be a best fit for your organization just by looking at the list. So here are three key things to consider as you evaluate security awareness vendors:
Do they provide a comprehensive, one-stop-shop solution for your specific security awareness and training needs? For example, do they provide engaging training that resonates with employees, simulate and monitor phishing campaigns, and assess your security culture over time?
Can they deliver automation and integration capabilities to streamline your security awareness training efforts and weave them into your existing learning and professional development initiatives?
Are they focused on the “learner experience” with automated updates, easy-to-navigate dashboards, a breadth of content and visibility on each employee’s learning trajectory?
* * * * *
Security awareness and training should be a part of every company’s strategy for protecting their confidential data and to avoid financial mistakes that could be disastrous. This has quickly become a best practice for almost all companies that rely on technology and IT.
Contact RIATA today and we’ll be glad to help you assess and develop a plan for this all important security awareness training. We will also help you develop those internal policies that will shore up this effort and make sure your employees are knowledgeable on avoiding scams, data thefts and embezzlement.
About the Author: Tommy Wald is CEO of RIATA Technologies, a Managed IT Services Provider headquartered in Austin, TX. He can be reached at TWald@RiataTechnologies.com.