A few years back, most compromised websites published on the U.S. Department of Health & Human Services website were caused by organizations’ own employees, not hackers, according to IT Authorities.
While companies fret over the next cyber-attack, more than 50% of said breaches are due to lost or stolen laptops, backup tapes, and mobile devices containing unencrypted data. Then there are the everyday human errors that happen at companies in every industry, like a worker leaving the door to the server room unlocked and putting passwords on a sticky note under the keyboard.
Truth is, there are a number of reasons why these things occur, some of which are unintentional — while others are intentional and malicious. On the unintended side, lack of specific training and security awareness is a primary contributor. On the criminal side, there are financial gains from selling the information or exposing it to the media, not to mention, particularly in healthcare, the possibility of free medical care and prescription access to narcotics.
What steps can your business do to protect against these incidents?
- Create policies and procedures regarding the handling of confidential or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
- Focus more on training. Many organizations think that a general 30-minute online information security training followed by 10 questions is sufficient for staff to know what they should do in a given situation. However, the lack of specifications to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
- Give your employees only the minimum necessary access to vital information. Businesses need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most harmful impact to an organization can be inflicted by a disgruntled employee who was terminated from the organization, yet his or her access to information was not cut off in a timely fashion.
- Communicate and apply consistent sanctions for information privacy or security violations. If there is no punishment for information sharing, your staff is more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures. A company may suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
- Use Veriato 360 for employee monitoring. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities immediately.
- Make sure that there is adequate oversight or governance of information security programs. This is important to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.
- A huge number of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own staff and business associates. By taking the actions outlined above, a company can greatly reduce the likelihood of these internal breaches, both the careless errors and the malicious or criminal acts.