By Ian Ramsey and Sarah Spurlock
With all of the recent data breaches, the nervous jitters among those who have spent time ordering new credit cards or signing up for credit monitoring are no surprise. The possibilities of what might happen seem overwhelming and with no easy cure, action perhaps seems too daunting.
The threats are unnerving because we have for too long relied on others to make our on-line experiences safe. At home we might not see the need to install anti-virus software, use encryption or set-up a secure WiFi network. At work, we assume these are just issues for the information technology department.
What we fail to recognize is that the most significant threat is people making bad decisions because they have little knowledge about data security. Our collective reliance on someone else plus a defeatist attitude predicts failure. If we don’t think about security at home, then the burden of security protections seems unnecessary at work.
We all need to do a self-assessment. Start with your passwords. Don’t use the same password or variations for multiple accounts. For mobile devices, choose six character passwords. For laptops or desktops, use a pass-phrase, which is akin to a complete sentence.
The trick is to think of a quote from a movie, a line from a song, or pick random sentences from a book that you carry, or keep in your desk or on your bookshelf. Every password should change on a 90-day cycle.
Business owners need to gain an understanding of their legal obligations to protect company information—identify what you have, know where it is kept, and determine who has access. Document your security strategy, train your employees so they understand their roles, and develop a breach response plan identifying your first responders—those you will call on when a laptop is lost, a virus shuts down your servers, a terminated employee walks out the door with a gigabyte of data, or a cybercriminal hacks your system.
Our advice—be proactive. Educate yourself and your employees about what steps each person can take to secure data. Start small like discussing proper passwords and identifying suspicious emails. Work with your employees expecting that a breach will occur and practice your plan on a regular basis making it more than just words on a page.
Business Owners, Be Proactive
- Understand your legal obligations to protect company information—identify what you have, know where it is kept, and determine who has access.
- Document your security strategy.
- Train your employees so they understand their roles.
- Develop a breach response plan identifying your first responders—those you will call on when a laptop is lost, a virus shuts down your servers, a terminated employee walks out the door with a gigabyte of data, or a cybercriminal hacks your system.
– Ian Ramsey is a member and Sarah Cronan Spurlock is an attorney, both with Stites & Harbison.
Data Breach Response Best Practices Guide Released by DOJ
The Department of Justice’s (DOJ) Cybersecurity Unit recently released a data breach response guide to help facilities better prepare for data security incidents before they occur, as well as what to do after the fact.
While the guide was created with smaller practices in mind, the DOJ stated that larger organizations that have more experience in cybersecurity matters can still benefit from the best practices guidance.
The guide is divided into three main sections, each of which includes subsections providing further detail on the best approach to data breach response and preparation. The three main sections are:
- Steps to Take Before a Cyber Intrusion or Attack Occurs
- Responding to a Computer Intrusion: Executing Your Incident Response Plan
- What Not to Do Following a Cyber Incident
While the guidance does not specifically mention healthcare organizations, the three sections describe similar approaches that many healthcare facilities are already putting into place. View full report here: http://goo.gl/WV9kgU.