[BreachExchange] How employees can share the IT security load

Thu May 19 19:17:17 EDT 2016

http://www.csoonline.com/article/3072553/advanced-persistent-threats/how-employees-can-share-the-it-security-load.html

When we talk about responsibility for a company’s data security, naturally,
management comes to mind first, typically a CISO, CSO or CIO. Security
professionals and IT managers themselves concede that they bear the lion’s
share of this responsibility.

A recent study showed that 65% of IT decision makers believe they would
likely lose their job due to a security breach. But the real foundation of
a well-managed company’s data security efficacy comes down to each and
every employee within that company. A perfect example occurred nearly five
years ago at a Midwest-based hospital revenue cycle management company and
demonstrated how devastating a poorly-managed security framework can be at
multiple levels of an organization.

How to respond to ransomware threats
In July of 2011, a company employee left an unencrypted laptop containing
protected health information of tens of thousands of patients from
Minnesota hospitals in the trunk of a rental car parked at an airport.
Obviously it was stolen or this would not be much of a story. But think for
a moment about all the security best practices that were either absent or
ignored.

Why wasn’t this critical data encrypted? Why was there no technology in
place to remotely wipe the information on the device? Was the employee
trained to not let a device containing such sensitive data out of his or
her direct control? Were there written policies in place covering these
issues? If so, were they routinely enforced and were offending employees
routinely disciplined? Did anyone audit or monitor the daily operational
security practices at this company?

The company certainly paid the consequences for this massive oversight. The
Minnesota Attorney General instituted a HIPAA action which resulted in a
$2.5 million settlement to the government with an agreement that the
company suspend practice in the state of Minnesota from between two to six
years, a decision solely within the discretion of the Attorney General. In
its next public filing, the company acknowledged it would lose between $23
million to $25 million in revenue each year it was absent from operating in
Minnesota.

The company’s shareholders then filed a class action lawsuit alleging that
had they known about the HIPAA investigation when it was first instituted,
some of them may have sold their shares before their value plummeted by
more than half. This suit settled for $14 million.

Then, at the end of 2013, the Federal Trade Commission reached a settlement
with the company requiring it be independently audited immediately and
every other year thereafter, for a period of 20 years, to ensure proper
security measures are deployed. In the meantime, the CEO and CFO departed,
and the company was delisted from the New York Stock Exchange. All totaled,
a single stolen device cost the company over $100 million in fines,
settlements and lost revenue.

This real-life example demonstrates the failure of numerous employees
throughout the company to create, impose and maintain a security-conscious
environment. You can only imagine how the employee, IT and executives felt
bearing some level of responsibility for all that went wrong here. And, not
to mention the damage or potential damage to the thousands of hospital
patients who had their personal health information and identities floating
out there.

Hopefully, this story makes personal data security not just some
theoretical lofty goal to achieve, but something that should be top of mind
for every employee in every business that interacts with sensitive
information. And the best system of security is much more than just “doing
as you’re told,” or just following a “to do list,” but is something that
must be fully ingrained in the heart and soul of every part of an
organization. The following skill sets, at a minimum, should be top of mind
for every employee.

Understand security and what needs to be secured – At its most granular
level, fully understand what each security step is supposed to accomplish,
how it accomplishes it, and why that step is important to follow. Further,
whether it is protected health information, Social Security numbers, or
intellectual property, all employees should have a sense of what
information within their organization has value.

Accept the fanatical need for security – It becomes tempting to make
security a secondary priority when it seems to slow down the speed at which
one’s work can be accomplished. While it is not always easy to foresee the
potential scale of damage and financial loss, employees should recognize
that security policies and procedures are in place to avoid the example
above.

Keep an eye out for security gaps wherever you are and speak up – The more
minds working the problem, the fewer the problems. It is important to
develop a culture that doesn’t look down on the squeaky wheel.

A carrot works better than a stick – Reward employees who demonstrate a
high level of daily security awareness as well as those who catch the
missed security gap.

Security threats weigh heavily on IT and security professionals, and it is
a responsibility that they should not bear alone. We all need to do our
part to uphold the safeguarding of sensitive data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/f717a2cd/attachment.html>