Recently, companies and public entities alike have been stung by large scale data breaches. These breaches can have very serious consequences, resulting in tremendous financial liabilities and loss of reputation. Data breaches are commonly attributed to “hackers,” yet most data breaches are not caused by targeted intrusions.
According to a study performed by the Ponemon Institute, a data security and privacy organization, over one third of all data breaches are caused by employees and are unintentional. Employee data breaches have been steadily increasing over recent years due to the increased reliance on technology to transfer data.
Employee negligence arises during the use of unsecure data transfer methods such as USB drives, portable hard drives, floppy disks or CD’s. These devices can be compromised easily by being lost, stolen, or infected with malware and computer viruses. Employees may also send e-mails containing sensitive data to the wrong party, thus allowing unauthorized users access potentially sensitive material. Use of third party cloud services such as Dropbox and Google Drive also create opportunities for breach. While not entirely porous, the security for these systems is often not integrated by a company or district’s IT staff, and is therefore outside of their control.
If your district transacts financial information such as checking or credit card numbers, or has patient information, your organization is at added risk. A damage involving financial or medical information is severely damaging to reputation and can bring political consequences, lawsuits, and attention from federal regulators. The Federal Trade Commission’s Red Flag rules have set standards for information security to help protect consumers and businesses. If these benchmarks are not met in your day to day operations, your district could be hit with huge costs from federal tort liability.
Prevention
The first step in preventing data breach is assessing your district’s specific risks and vulnerabilities. This includes how your employees are currently handling and transferring internal data and how they transmit confidential information. The key to controlling a data breach is employee training. The Ponemon Institute study found that only 42% of employees surveyed had received training on data security, while only 57% of employees were aware of their employer’s security policies.
Your district doesn’t necessarily need a comprehensive policy regarding data security to mitigate your risk. Start by educating your staff on common sense data storage and online security practices. This conversation can set the guideline for a more formally developed policy created in conjunction with your IT staff or outside experts.
If you do not have any policies or practices in place, make this a top priority. This is an important part of staying compliant with federal Red Flag rules.
Taking Action
Members can take several proactive steps to manage their data security. Districts should constantly review and audit their data security policies in order to mitigate all possible risk. Districts should delegate employee job responsibilities and data access rights. Only the employees who work with secure data directly should be given access to that data. Districts should introduce strict password and account management policies. Employees should be prompted to change their password on a regular basis. Former employees and employees who no longer work with sensitive data should have their accounts deleted immediately. Districts can also opt to monitor their employees’ online activity for signs of improper or risky behavior.
Employee-created threats to secure data can be mitigated through proper training, employer policies, and risk management. Not all threats, such as those from hackers, can be eliminated. Those risks can be reasonably managed through proactive policies and security protocols. It is important to stay ahead of these problems to avoid career-ending issues down the line. See our free course of the month on page 9 for additional training resources.
