The cost of failing to protect clients’ and customers’ personal data is extremely high. Whether it is a retailer that fails to protect customers’ credit card information, a college that fails to protect students’ records or a health care provider that fails to protect patient data, one can’t underestimate the consequences of failing to protect data. In short, organizations that fail to protect confidential information, fail on at least two important accounts: customer/client care and compliance. In today’s high-tech world, however, hacking continues to evolve and as hackers become more sophisticated, our defenses against hacking also need to become more sophisticated.
In short, even organizations that feel secure behind a protected firewall are often far more vulnerable than they realize. Fortunately, with ongoing information and cybersecurity training, organizations can protect themselves and the people they serve.
How Vulnerable are Organizations to Information Breaches?
To begin, consider the breach of an estimated 4.5 million patients in UCLA’s highly regarded health network. The breach, which occurred in Spring 2015, came on the heels of several other major breaches in the healthcare sector, including one involving an estimated 80 million health records at Anthen Inc. (an insurance company). The UCLA attack occurred for several reasons but a key revelation and criticism that arose after the attack was health network’s failure to take the basic step of encrypting its patient data. Worse yet, this was not the first time the health network had faced a security breach. In 2011, UCLA patients were notified that a hard drive containing more than 16,000 records had been stolen from the home of one of the network’s doctors. In both cases, the health network’s failure to protect patient data resulted in class action lawsuits as well as the lost trust of thousands of patients.
On the retail side, we’ve also witnessed several recent high-profile security breaches. In early February 2015, White Lodging, which maintains hotel franchises for a wide range of hotels, including Hilton, Marriott and Westin, suffered a data breach that may have exposed hundreds of guests’ debit and credit card information. In March, beauty supplier Sally Beauty, which operates 2,600 retail outlets, reported that over 280,000 debit and credit cards were stolen and then sold. Arts and crafts retailer, Michaels also reported a data breach in early 2015. The company admitted that 2.6 million cards used in their stores between May 2013 and January 2014 were potentially exposed during a data breach. This, to be clear, is only a short list of some of the recent revelations on the retail side of this story, but like the health insurers and networks already mentioned above, these retailers have all experienced negative consequences, including the depleted trust of the people they strive to serve.
How to Arm Your Organization Against an Information Breach
First, it is wise to assume that no organization is ever completely safe. This is no surprise since hackers aim to outsmart even the best-trained IT professionals. Second, there are steps one can take to arm themselves against information breaches and cybersecurity attacks. eLeaP’s annual security awareness certificate program, for example, is based on globally recognized best practices in information and security awareness. Indeed, the four-step program provides an affordable way to arm your organization’s employees—and not simply your IT staff – with the awareness required to ensure your organization’s data is as secure as possible.
Step 1: Assessment
Take stock of your organization’s current situation by assessing what data is at risk and what steps you are/are not taking to protect this data. For example, do you permit employs to access data on mobile devices? Are employees’ mobile devices secure? Is the data in question encrypted? Do you have anyone on staff who is a Certified Ethical Hacker and have you asked them to test the security of your information system?
Step 2: Education
While it is often assumed that information and security concerns are best left to IT experts, in reality, most breaches occur when non-IT staff make an error without even knowing it. As noted above, UCLA’s 2011 breach happened when a hard drive was stolen from a physician’s home. Chances are, the physician had no idea that having patient data in their home was even a potential risk. Likewise, many retail breaches occur as a result of errors made by staff who have never received training on security issues because they work outside IT divisions. In reality, however, anyone who uses a computer in your organization is responsible for protecting both personal and organizational data and as a result, everyone, not simply your IT experts, need to be educated.
Step 3. Post-Assessment
Ensure all employees test their knowledge of cybersecurity issues to ensure they have retained the course’s best practices.
Step 4. Certification
Certification is awarded to those employees who take and pass a post-training course. Certification gives participating organizations a sense of added security since it ensures they have a core group of staff who are up to date on the latest best practices in information and cyber security.
For more, see eLeaP’s Information and Security Awareness courses.