Identifying Deficiencies in Your Security Process – Part 1
Identifying deficiencies in your organization’s security process is the first step to limiting your risks. One of the most fundamental security issues facing many companies today is the prospect of a data breach, whether internal or external.
What do you think of when you hear the words “data breach”? Perhaps the most prevalent concept is that of someone hacking his or her way into a network with the intention of stealing data. While this is certainly an issue, not all data breaches are limited to remote, online access. For example, according to the Health Insurance Portability and Accountability Act (HIPAA), any hospital employee who views a patient’s private health information on a computer monitor without authorization to do so, whether he or she is directly in front of the device or is glancing over the shoulder of another employee who is authorized to do so, is also participating in a data breach.
In fact, a data breach occurs when any sensitive, protected or confidential data has potentially been viewed, stolen or used by someone who is not authorized to do so. Data breaches typically are divided into personal health information (PHI), personally identifiable information (PII), and intellectual property, such as trade secrets.
Not only does an organization owe it to itself to protect sensitive data, it owes it to the people whom it serves. For example, in addition to the aforementioned HIPAA privacy policies, the Payment Card Industry Data Security Standard (PCI DSS) states who is allowed to handle and use sensitive PII such as credit card numbers, PINs and bank account numbers in conjunction with names and addresses. With that in mind, there are a number of industry guidelines and government compliance regulations in place mandating strict protection of sensitive or personal data in order to avoid data breaches. These regulations are backed up by penalties in many instances. So if, for example, a data breach leads to identity theft and/or a violation of government or industry compliance mandates, an offending organization can face fines or other civil or criminal prosecution.
Today’s business security environment must contend with physical, on-site threats as well as external threats posed by cyber attacks. Increasingly small, increasingly powerful personal electronic devices such as iPhones can record and transmit audio, visual and textual information – and they are easily concealed. At the other end of the spectrum, many companies are contemplating or have already moved to cloud-based computing services, opening the door to yet another set of security issues for corporate data.
Identifying deficiencies in the security process is therefore a multi-faceted undertaking, one that means more than just setting up firewalls, locking up laptops, and installing real walls for viewing privacy at employee workstations. Reviewing your organization’s policies on employee access to information is just as important as reviewing safeguards in place to keep sensitive data from being accessed remotely by prying eyes.