[BreachExchange] Did Opening That Email Place Your Business in Legal Hot Water?

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 18 20:16:27 EDT 2018


The email can arrive in your inbox cleverly disguised, appearing to come
from your boss, a co-worker or some other person, business or organization
you trust.

But click on a link or attachment as instructed and you could be in for a
headache. You’ve just given cybercriminals access to your company’s data –
and potentially put the business out of compliance with federal laws and
regulations about protecting that data.

Phishing attacks are one of the most common security challenges individuals
and businesses face when it comes to keeping information secure. The
phisher’s goal is to steal sensitive and confidential information. That
information could include Social Security numbers, credit card and bank
account numbers, medical or educational records, dates of birth and
mailing/email addresses.

That’s problematic because federal regulations may require that your
business keep certain information secure. Just as an example, health
providers are expected to safeguard the medical records of patients under
the Health Insurance Portability and Accountability Act.

Such compliance issues can create unwelcome complications for businesses,
which is why they need to be proactive in addressing phishing. There are a
few steps they can take to protect themselves, beginning with educating
employees. The first line of defense against phishing is employees, because
they are the ones likely to be targeted. Make them aware of the concerns
and tell them to be suspicious of emails that offer them links with little
explanation, or that ask for sensitive data, even if it appears to be
coming from a trusted source.

Companies also need to reassess who has access to data. Because employee
mistakes are the most likely cause of a breach, retraining alone may not
get the job done. A business or organization may want to take another look
at who should have access to all that sensitive data, and make adjustments
where possible.

If a breach happens, take action. You can’t just ignore the data breach.
Right away, your IT team needs to be notified so they can get to work
handling the breach. At the same time, it’s important to immediately
contact your compliance officer or attorney so they can take appropriate
steps for reporting the breach to the proper regulatory agencies.

These “phishing expeditions” from cybercriminals represent a serious
challenge for businesses and for their compliance officers. It’s critical
to be aware of the threat and to know that there are steps you can take to
reduce your risk and avoid finding yourself out of compliance with
regulations that govern your sensitive data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180518/8dc0d063/attachment.html>

More information about the BreachExchange mailing list