Many organizations recognize the importance of cybersecurity and have implemented a security-first approach to keep the data they are entrusted with safe. A robust cybersecurity compliance strategy will go a long way in ensuring the safety of your company data as well as that of your customers, clients and other third parties. However, as you put safeguards to prevent external data security threats, do not forget to mitigate threats from within the firm.
Monitoring Data Security Compliance in the Workplace
Today, hackers are using social engineering and phishing strategies to compromise data in organizations. Perhaps nowhere is phishing more prominent than in the healthcare industry. Here are some recent data breaches that affected major healthcare industry players:
- 20,000 Catawba Valley patient records compromised (source)
- 21,000 patient records of the Minnesota Department of Human Services exposed (source)
- 38,000 patient records exposed at Legacy Health (source)
- 1.4 million patient records breached at UnityPoint Health (source)
However, data security threats are not limited to the healthcare industry nor are they carried out solely by third-party actors. According to the 2018 Verizon Data Breach Investigation Report, 17% of data breaches occur due to employee errors. Moreover, 4% of people click on phishing campaigns and, therefore, put their systems at risk of getting hacked.
While employees would not act in bad faith and compromise your organizational data, their seemingly “innocent” and sometimes well-intended actions can leave your systems exposed to third party intruders.
Majority of data breaches occur on databases and file servers. Therefore, as you safeguard your IT infrastructure, ensure that employees are aware of data security threats and know how to identify, manage, and mitigate them.
Importance of Monitoring Noncompliance
Data security noncompliance can have a significant impact on your bottom-line. Apart from potentially exposing sensitive data to third parties, your organization may also be fined by industry regulatory bodies.
For example, the Healthcare Insurance Portability and Accountability Act (HIPPA) imposes fines ranging from $100 to $50,000 for each violation.
The Sarbanes-Oxley Act 2002 (SOX) also has non-compliance penalties, which include monetary fines as well as prison time.
In 2016, Wells Fargo had to pay fines amounting to $1 billion when it was established that its employees wrongfully charged some customers for various loans.
Employee training for Compliance Management
Compliance management stipulates the steps to be followed by employees when accessing, transferring or storing data. Companies need robust compliance management programs that address all facets of the IT data environment and ecosystem. Moreover, employees should be encouraged to embrace cybersecurity compliances.
Employees that are uninformed on how to handle cybersecurity attacks are a huge threat to your security compliance program. Therefore, management needs to play an active role in encouraging the adoption of security-first strategies, which should be embraced across the organization.
One of the ways of involving employees in security awareness is through induction and regular security training. The training sessions can involve giving employees worksheets with the data security procedures and policies of the firm. Regular refresher training on data security should also be encouraged.
Here are some tips you can use to make data security training more interesting and, in turn, make employees more cyber aware:
- i) Personalize the Training
Personalize the data security training so that employees can see how the information applies to their daily life. Avoid using technical jargon when explaining concepts. Instead, use simple language and everyday examples explain concepts.
- ii) Use Passwords
Make it mandatory for employees to be required to provide passwords when trying to access various data. Set up your systems to have minimum requirements for strong passwords. You can also program your applications to forcefully require password changes after a specific duration to keep your systems secure.
iii) Multifactor Authentication
Another way of improving cybersecurity in your firm is by using multifactor authentication. Multifactor authentication adds a separate layer of security on your data, which is critical to preventing unauthorized access to your systems. For example, you can provide corporate tokens to employees and set the tokens to be flagged and automatically disabled in case unusual usage is detected.
- iv) Have Security Reporting Procedures
You should define all types of risks that employees are likely to encounter and have clear procedures for reporting them. Here are some examples:
- Phishing emails – These should be forwarded to the IT department
- USB drives – Require all employees to have all external USB drives checked before they can be used in the firm
- Software – Restrict installation any software programs to the IT department
Use Compliance Monitoring Software
You can use data security compliance monitoring software to reduce vulnerabilities in your systems. The software can track users and use workflows to monitor vulnerabilities. Through the software, you will have a single source of information, which can help in drilling down potential sources of security breaches.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.