criminals find and exploit a new tool or weakness. Hackers get information from unintended leaks, like New York University publishing the U.S. Military code breaking mechanism, or the constant and relentless probing of the security mechanisms of tech companies like Microsoft. Business must regularly analyze all means of access to the system, such as servers (cloud-based or internal), stationary computers, laptops, iPads, tablets and smart phones. Someone in the workforce probably has customer data or other sensitive information, such as passwords, on a smart phone. Then there are all the plug-ins, like scanners, printers, fax machines, security systems, and the "internet of things," such as thermostats and card key readers (yes, anything that can be controlled remotely is a potential hole in your security), not to mention all the new wearables and implantables. As those devices become more common, every company has to know how those technologies are communicating with their network. Security patches and updates can be a hassle, but mis-configured data ports and bad server configurations are some of the your system rendered useless. Companies must also continue to invest in personnel training because people are sometimes more difficult to control than the computer network. Owners, managers and supervisors must create a real culture of cybersecurity. Businesses need to invest in personalized training for all employees, including the owners and managers. Companies should recognize that internet tools such as video presentations, webinars, online curricula and quizzes are all good interim reminders. But, as a recently reported large data breach proved, a workforce member who just attended an online training session, which included instruction on an almost identical phishing scam, was not enough when the workforce did not take the instruction seriously. Personnel training cannot be an afterthought. The culture of the office will ultimately determine its level of cybersecurity or cyber-insecurity, so businesses need to start looking for holes and constantly evaluate their systems to become truly secure. And for those who transact globally, the European Union (EU) is counting down the time when the new General Data Protection Regulation (GDPR) goes into ePrivacy regulations that go along with it. Those regulations will impact any offering of products or services to individuals in the EU member states and any processing of personal data associated with citizens of EU members. There are penalties for violations and opportunities for class actions which will provide potential compensation to individuals from the party collecting the data, as well as those who process it on behalf of another organization. Using some of the same methodologies as in the U.S. for health care compliance, now EU organizations will have to perform compliance reviews and gap analyses to determine deficiencies in any data protection plan. Similar too, is the potential for the mandatory appointment of a Data Protection Officer (DPO) whose role looks much like that of a medical provider's Privacy and Security Officer. Currently, the requirement for appointing a DPO appears to be fairly limited and the most onerous GDPR requirements affect large organizations, but, with cybersecurity, businesses can be certain things will always change and the bad guys will always be looking for holes. |