Costing the global economy around $400 billion per year, cyber crime has become one of the most significant risks that an employer faces today. Information is a valuable commodity in the right hands, and hackers around the world are increasing their efforts every minute to obtain it. As technology develops, more organizations are using computers and online services to store files, process personal information, and make transactions. This increases the exposure of employee records, customer information, and intellectual property to theft, contributing to the rise in cyber crime at an alarming rate.
Employers Are at Serious Risk
Information is one of the most important assets that an organization can possess, sometimes more so than physical assets. Valuable intellectual property is the staple product of several industries. Technology companies store information on patents that they develop. Law firms spend a great deal of capital generating files full of legal information. Leaving information unsecured is as risky as leaving physical assets unlocked and unguarded.
There are also strict obligations for organizations to protect information. All employers must safeguard their employment records and protect the privacy of employees. Healthcare providers are required to protect their patients’ medical records. Merchants have a duty to secure any credit or payment information from cyber criminals. Failing to protect consumer information could result in severe penalties.
The federal Office of Personnel Management recently revealed that hackers obtained sensitive information on more than 21 million people through its computer network. It was predicted that the hackers stole personal information, including social security numbers, from these victims. Additionally, more than one million fingerprints were stolen during the breach. The victims of this type of violation now face the risk of criminal activities such as identity or welfare theft.
The Federal Trade Commission (FTC) has reported that more than 250,000 identity theft complaints were filed in 2013. These crimes include unauthorized use of credit card information, bank accounts, and personal data of employees. The FTC has filed actions against more than 50 businesses for failing to use proper security measures that protect the data of employees and customers.
What Employers Are Doing Wrong
The actions filed by the FTC can serve as an example to employers to prevent repeating the past mistakes of others. The FTC has identified several points of weakness that may appear in an organization’s security and how they may be addressed:
- Collecting more information than is actually needed. Before requesting information from customers or employees, employers should ensure that there is a legitimate business reason for having that information. For example, there would very rarely be a valid justification for obtaining a social security number from customers, or credit card numbers from employees.
- Storing information longer than it is needed. Once the legitimate business reason for holding onto data has expired, the information should immediately be removed from the system. Every moment that a customer’s credit card number is stored in a business’s system puts that data at risk of theft.
- Providing data or administrative access to more employees than necessary. If regular observation or use of sensitive information is not a part of an employee’s duties, he or she should not be granted access. The more people that have access to data, the more exposure there is to mishandling or theft.
- Implementing inadequate authentication measures. Access to an organization’s files is often available to anyone with the password. Hackers have tools at their disposal to guess account passwords, and the simpler the authentication procedure, the quicker the tools work. Dictionary-word passwords like “puppyfan” are no longer adequate to hamper password guessers. Policies that require complex passwords, limit password attempts, and restrict access to certain computers can dramatically reduce the possibility of a breach.
- Failing to encrypt sensitive information. Even when passwords or other data are properly stored and protected, intrusions into the system are still a possibility. Encrypting all information, rather than placing it in a “plain-text” file or email, can prevent intruders from using what they find.
- Giving remote access to systems without inspecting the security of the remote device. Once an employee or associate has access from a remote laptop or office computer, those access points must have the same amount of protection as the rest of the system. This is especially important for mobile devices that are used in public, as they are more easily stolen. Information accessible remotely should be limited, and policies must require secure storage of the equipment.
- Failing to keep up to date on security. Implementing security measures is an ongoing process. Wherever software updates are available, they should be used immediately. Systems must be monitored for breaches, and procedures in place for when a breach occurs. As cyber-criminals invent new creative ways to steal data, new security measures should be put in place to counter their advances.
Although cyber crime is a growing threat, employers should continue to protect physical records from theft or loss. Access must be restricted, transportation of documents limited, and storage containers securely locked by key or passcode.
Further Steps Employers Can Take
Many organizations are not aware that their insurers most likely do not cover cyber liability, but independent policies exist to cover such losses. These policies can also cover liability to third parties or legal penalties for certain breaches. Reports show that the greatest expense of cyber attacks, including minor ones, is the disruption to business operations. Loss of profits due to these disruptions can be mitigated with a proper insurance policy.
The average time for an organization to fully contain a breach is an astonishing 31 days. By implementing policies and procedures to react immediately to threats, this time can be greatly reduced and costs of disrupted operations can be saved. Many companies are making investments to speed up their procedures, including purchasing early detection software or hiring specialists to monitor and control networks.
A major defense to network breaches is the compartmentalization of sensitive information. Networks should have multiple firewalls to restrict access to the system and to specifically block extraction of data. Where employees or agents are given mobile access to data, the data should not only remain secure, but be strictly limited to what is necessary for that employee’s purpose. A recent case revealed that a company lost 20 million pieces of sensitive information to a thief that stole a laptop from an employee’s car.
Another study found that more than one third of data leaks are caused by employee negligence. While thorough training is the most effective defense against these leaks, employers can identify where there may be weaknesses in their staff. One such method is to send employees fake “phishing” e-mails that are identical to actual malicious e-mails. Employers can identify who mistakenly opens these e-mails and retrain those employees to drastically reduce the chances of another such occurrence.
Ironically, a study has discovered that the companies that are safest from cyber attacks are those that have recently had a breach. This indicates that too many employers are using cybersecurity as a reactive measure rather than a preventative one. Employers can learn from these errors by taking necessary security steps before there is a breach, rather than waiting until it is too late.