You have spent thousands on infrastructure. You have the best Cisco firewall money can buy. Your Information Security Officer has every certification the industry offers. Yet you can still be breached. Your employees’ SSN and birthdates can be stolen. Your customers’ bank and credit card numbers can be stolen. The local news announces that all of your customers’ information was stolen.
What happened? Probably the weak link was attacked – your people. You did not have a “Human Firewall”.
- The payroll clerk goes to lunch and leaves the direct deposit file on his desk.
- Human Resource manager takes the applications for the new VP position home to review and leaves them on the front seat of her car while having dinner.
- Your controller’s password is written on a Posit under the keyboard.
- The VP of finance logs onto your network using an unsecured wireless home network.
You get the picture.
Create a “Willing Culture of Security”
Your data security plan is only as strong as the employees who implement it. Explain the rules to your employees, and train them to spot vulnerabilities in your security. A well-trained staff is your best defense against data breaches. Consistent training stresses the significance you place on data security practices.
Check references and conduct background checks before hiring employees who will have access to sensitive data. (THE FAIR CREDIT REPORTING ACT)
Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. They need to understand that following the data security plan is a critical part of their responsibilities. Regularly remind them of the company’s policy and legal requirement to keep customer information secure and confidential.
Limit personal information access to staff with a “need to know.” Know which employees have access to consumers’ and employees’ sensitive information. Pay attention to Social Security numbers and bank account numbers.
Create a procedure for making sure that when an employee leaves or transfers to another part of the company, they do not retain access to sensitive information. Terminate their passwords, collect keys and identification cards as part of the departure routine.
Make sure your policies cover employees who telecommute, access sensitive data from home or an offsite location. Plus notebooks and smart phones storing or accessing sensitive information.
Implement a regular schedule of employee security training. Update employees about new risks and vulnerabilities. Make sure training includes staff at remote offices, temporary help, and seasonal workers. Block access to sensitive information for employees who don’t attend
Train employees to recognize security threats. They need to know how to report suspicious activity. Reward employees who uncover vulnerabilities.
Require employees to report immediately if there is a potential security breach.
Post reminders in areas where sensitive information is used or stored.
Warn employees about phishing. They need to be suspicious of callers who need account numbers to process an order, asking for customer or employee contact information. Make it a policy to re-call them using a phone number they know is genuine.
Enforce disciplinary measures for security policy violations.
Consider asking your employees to take the FTC‘s plain-language, interactive tutorial at http://business.ftc.gov/multimedia/videos/protecting-personal-information.
For computer security tips, tutorials, and quizzes for everyone on your staff, visit http://www.OnGuardOnline.gov.