criminals find and exploit a new tool or
weakness.
Hackers get information from
unintended leaks, like New York
University publishing the U.S. Military
code breaking mechanism, or the
constant and relentless probing of the
security mechanisms of tech companies
like Microsoft. Business must regularly
analyze all means of access to the system,
such as servers (cloud-based or internal),
stationary computers, laptops, iPads,
tablets and smart phones. Someone in
the workforce probably has customer
data or other sensitive information, such
as passwords, on a smart phone. Then
there are all the plug-ins, like scanners,
printers, fax machines, security systems,
and the "internet of things," such as
thermostats and card key readers (yes,
anything that can be controlled remotely
is a potential hole in your security),
not to mention all the new wearables
and implantables. As those devices
become more common, every company
has to know how those technologies
are communicating with their network.
Security patches and updates can be a
hassle, but mis-configured data ports and
bad server configurations are some of the
your system rendered useless.
Companies must also continue to
invest in personnel training because
people are sometimes more difficult
to control than the computer network.
Owners, managers and supervisors must
create a real culture of cybersecurity.
Businesses need to invest in personalized
training for all employees, including
the owners and managers. Companies
should recognize that internet tools
such as video presentations, webinars,
online curricula and quizzes are all good
interim reminders. But, as a recently
reported large data breach proved, a
workforce member who just attended an
online training session, which included
instruction on an almost identical
phishing scam, was not enough when the
workforce did not take the instruction
seriously. Personnel training cannot
be an afterthought. The culture of the
office will ultimately determine its level
of cybersecurity or cyber-insecurity, so
businesses need to start looking for holes
and constantly evaluate their systems to
become truly secure.
And for those who transact globally,
the European Union (EU) is counting
down the time when the new General Data
Protection Regulation (GDPR) goes into
ePrivacy regulations that go along with it.
Those regulations will impact any offering
of products or services to individuals in
the EU member states and any processing
of personal data associated with citizens
of EU members. There are penalties for
violations and opportunities for class
actions which will provide potential
compensation to individuals from the
party collecting the data, as well as
those who process it on behalf of another
organization.
Using some of the same methodologies
as in the U.S. for health care compliance,
now EU organizations will have to
perform compliance reviews and gap
analyses to determine deficiencies in any
data protection plan. Similar too, is the
potential for the mandatory appointment
of a Data Protection Officer (DPO) whose
role looks much like that of a medical
provider's Privacy and Security Officer.
Currently, the requirement for appointing
a DPO appears to be fairly limited and
the most onerous GDPR requirements
affect large organizations, but, with
cybersecurity, businesses can be certain
things will always change and the bad
guys will always be looking for holes.