The business environment is continually evolving with increased reliance on electronic communication and data storage. Confirmed by daily occurrences in the media, this evolution brings a higher penetration of cyber intrusions and data theft, putting employers’ reputation and ability to conduct business at risk.
This month we start an in-depth look at business technology and its inherent risk exposure, and what can go wrong to cause a Cyber Security Breach.
Next month we will continue with this topic offering steps that can be taken to mitigate your exposures.
What exposes your business?
Employers retain confidential employee information such as:
- Date of Birth
- Social Security Number
- Driver’s License/State Issued Identification Card
- Credit Card or Bank Account Information
The use of email can result in transmission of malware and viruses, theft of personal data, invasion of privacy, slander, libel, misuse of linking and framing, and copyright and trademark infringement.
Phones, tablets, laptops, and flash drives can easily be lost or stolen, allowing access to email, databases, documents, and other files containing sensitive data.
Your website’s purpose determines its content and transactions. As an advertising tool it provides information on your operations similar to a company brochure. Displaying, transmitting, or disseminating content and linking, framing, or advertising another’s business opens you to some of the same liability exposures of a publisher.
If your website further allows for the sale of products or services, your exposure increases with the acceptance of client or consumer financial account information.
Blogs provide an avenue for communication allowing writers and commenters to express opinions relating to the topic or forum. Postings are usually made instantly accessible to all visitors of the site and are archived. The site owner is subject to liability for postings that are slanderous, false, misleading, or that constitute an infringment of trademark and copyright laws.
Client transactions often provide you with access to their:
- trade secrets
- financial information
- credit card or bank account details
- client employee data
Most businesses are dependent on networked computers which can hold:
- financial data
- customer and employee information
- trade secrets
- proprietary software
How is your business exposed?
Depending on your business, you have employees that have access to private information of your other employees and your clients. Your computer security should limit access to these records to only those that need to work with these records. Even the best employees can make honest mistakes such asrelease of private information to wrong parties, leaving personal information visible to non-authorized individuals, loss of files containing personal data, etc.
Hackers and Malware
Hackers do not just go after large organizations. According to the Verizon Data Breach Investigations Report, small organizations represented the largest number of data breaches in 2011. Hackers often use programs that seek unprotected sites rather than pursuing a specific target. Constant connectivity makes it easier to transact business with customers and vendors 24/7, but it also makes it easier for your system to be hacked and infected with cyber bugs.
Malware, including viruses and spyware (Trojan horses, worms, system attacks, adware) are all tools of the most basic computer hacker. Malware, whether website or email, cannot always be seen as they are packages of software that hide alongside other programs that seem valid. Usually by the time the user realizes that a malware is attached it has already started to cause damage. Some email viruses are transferred by simply opening the email into the preview frame.
Hackers intentions can be to destroy your computer system or, most commonly, to extract the personal data of your employees, vendors and customers. Some have even resorted to extortion, threatening to disperse the private data if their demands are not met.
Copyright and Trademark Laws
Content–including generic photos obtained from the internet–that is posted on your website, blog, or social media sites is subject to copyright and trademark laws. You need to constantly monitor the content posted to those sites as you could be sued if copyrighted material appears without permission of its owner.
Social networking sites: Facebook, Twitter, etc. continue to offer new marketing opportunities but also bring new risk:
- Ownership of Sites
- The administrator has the ability to monitor and remove inappropriate content. Although you have to be open to the constructive feedback of customers to maintain site validity. However, you can control what your employees post on your social media sites by having written guidelines and removing any postings that contain incorrect company information, confidential material, or trade secrets which can have serious consequences for your business.
- Your Company’s Reputation
- Negative content, such as bad customer reviews or unfavorable comments, including those from disgruntled employees, may appear on your site and can travel globally in a matter of hours.
- If you do not plan to market through social media, monitoring sites is still needed as it is fairly easy for anyone to use your company’s trademark to set up a social media site without your permission.
- Social media sites are not exempt from cyber attacks potentially exposing your database if hosting your own social media site.
- Legal Compliance
- Social Media ads must be truthful and not misleading. (False Advertising)
- If an employee blogs about your product or service, he or she must disclose his/her connection to your company. Employers are also liable for false or misleading advertising stemming from an employee’s online posting, even if not authorized by employer. (Undisclosed Endorsee Connections)
- Do not infringe on the trademark of another business including that which could cause consumer confusion. (Infringement)
- Know the difference between “fair use” and copyrighted material. Many times, user-generated content cannot be used without permission. (Copyright)
A former employee of a marketing firm accessed the company’s computer system and used client’s credit card information to make fraudulent purchases totalling $7,000.
A former employee of a fast food franchise used a skimming device to capture customer information. Customers who used their credit cards at the drive-through during the late-night shift had their information copied, sold, and used to create forged credit cards and make $14,000 in fraudulent purchases.
A community college determined that two campus computers were infected by malware when a faculty or staff member opened an email that contained a virus. Faculty, staff, and students affiliated with the school may have had their names, Social Security numbers, dates of birth, and addresses exposed. The cost of handling the breach could be as much as $500,000.
An unencrypted laptop belonging to a property management company was stolen resulting in exposure of 621 residents’ personal information including names, full Social Security numbers of some people, and the last four digits of most. The company agreed to pay $15,000 in civil penalties and ensure that personal information is not unnecessarily stored on portable devices, and that those portable devices are properly encrypted and stored in a secure location. Employees must also be effectively trained on policies and procedures with respect to maintaining the security of personal information.
A company comprised of five restaurants was ordered to pay $110,000 in civil penalties for failing to protect the payment card data of tens of thousands of consumers. In addition to having poor data protection practices like allowing employees to share computer passwords and failing to secure network wireless connections, the company was determined to have not responded appropriately when customer data was compromised. A lawsuit alleges that hackers installed and used malicious software to obtain customer debit and credit card information, and that the company continued to allow the use of credit and debit cards despite being aware that their computer system had been compromised. The company also agreed to comply with state data security regulations, comply with the Payment Card Industry Data Security Standards, develop a secure password management system and implement information security measures.
How we can help you…
Partnering with insurance carriers, we can assist in identifying areas of your operation which present cyber risks. We can also offer means of mitigating or transferring your risk–a topic which we will explore in depth in our next monthly email. [email protected]