Identity Theft, the Internet, and your Employees could send you to Jail: Mitigating Internet Security Risks
Note: This article will be published in the June 25th edition of The Business Ledger (http://www.thebusinessledger.com/).
New laws, new fines and jail time for owners and executives
An area of risk that most organizations large and small neglect to address, despite the well publicized increase in cases of identity theft, is the protection of their Internet connections. If you store sensitive information[1] about your employees or clients on your computers the state and federal governments require you to take a proactive approach to your Internet security NOW. This is of particular importance for organizations that are subject to federal regulations such as HIPAA (which dictates how patient health information must be protected), the Gramm-Leach, Bliley Act (which dictates how personal financial information must be protected), PCI (Payment Card Industry regulation dictates how credit card information must be protected). These laws carry substantial financial and in some cases, criminal penalties for violations. For example, HIPAA financial penalties are as high as $50,000 per exposed patient record. The fines can be as high as $250,000 per exposed patient record and carry up to 10 years in jail for the owners and executives of the business. If an organization is proven to have purposely exposed patient information for financial fraud, or were negligent in protecting the patient information. On top of the potential financial and criminal penalties are the legal fees to defend an organization.[2] Just recently the Senate passed the “Identity Theft Prevention Act”, bill S. 1178[3] that would require all businesses to “develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards.” If this bill makes it through the House, then all businesses would be required to take affirmative action or else be open to fines.
Employees can jeopardize your business and cost you money
WEB SURFINGEven if you do not store sensitive information about your employees or customers, you are still at risk financially. Do you know the sites your employees are visiting on the Internet? Sexually explicit sites are the source of thousands of sexual harassment and “hostile work environment” claims annually that cost employers fines, settlements and legal fees. Hidden costs include lost worker productivity from non-business related web surfing during business hours. These hidden costs can add up quickly. Justified Technology recently worked with a client with 20 employees to calculate they were losing, conservatively, 20 hours per day (1 hour per employee) of productivity. At an average of $15 / hour including benefits, this cost the business $300 per day or $78,000 per year!
More hidden costs
VIRUSES,
WORMS, AND TROJANSAnother hidden cost includes fixing computers infected by viruses, worms and Trojans introduced through e-mail, web browsing and inadequately protected Internet connections. If one computer per month needs to have its operating system and applications re-installed, this can cost the business $500 or more per month. In addition, an organization can be held financially responsible for failing to fix one or more of its computers infected with various viruses, worms and Trojans if they are found to be the launching point of attacks on another company’s computer systems. How would your customer feel if they found out that the virus in their computer system came from your company?
Are you protected?
FIREWALLSMost businesses know that they need a firewall. However, they do not know if it is set up and working correctly. Ask yourself “When was the last time I looked at the firewall logs?” We have never met a businessperson that has looked at a firewall log. Even if they did, they wouldn’t know what they were looking at. Most technology professionals do not know how to interpret the firewall logs. This is an important part of mounting an affirmative defense if a data breach occurred. A company needs to hire a person or company well versed in firewalls and responding to threats identified in those logs.
Is your business too small to be a target of hackers?
With few exceptions (e.g. large banks and online stores), hackers rarely know the target of their attacks until they successfully gain access to a company’s computer systems. The programs that they use to identify targets are indiscriminate. They systematically look at the addresses on the Internet (which are much like the street addresses of homes and offices) and check for vulnerabilities. Most organizations do not even know when they have been successfully attacked. Take, for example, TJX Companies, owners of TJ Maxx,
Marshalls, and other stores. Someone had access to their files for 18 months and the company didn’t find out until just recently. To date, they have spent $25 million on resolving this breach. In addition to this, three banking associations have filed lawsuits to recoup costs of replacing clients’ credit cards and paying for fraudulent charges.
What you can do to protect your company from data breaches
Two actions to take immediately are as follows: first create a policy on web surfing, email, and how to handle private personal, company, and customer data. You can have your attorneys draw the policy up or you can contact us to assist you with templates.
Second is to use a proven internet security solution. These solutions used to be expensive and only in the financial reach of large organizations, but recently there are now hardware/software solutions that any sized business can afford. When choosing a system, make sure it has the ability to do the following:
· Blocks unauthorized access to your network from the Internet· Blocks viruses, worms and Trojans before they enter your network· Blocks access to potentially offensive web sites[4] from the computers on your network· Performs monthly security scans to identify potential vulnerabilities in your Internet security· Provides weekly or monthly printed reports that describe all of the blocked access attempts, viruses and web sites. This report is your printed record that demonstrates your due diligence in protecting sensitive information from unauthorized Internet access· Automatically updates its internal software as new threats are detected on the Internet
Not all firewalls are created equal
Do not be fooled by the inexpensive firewalls available in retail stores by such manufacturers as Linksys, Netgear and Dlink. They do not provide the same level of protection as a commercial product. Furthermore, it is not just the hardware, but the expertise to set it up and maintain it that is most important. By hiring a technology firm that specializes in security, you assure that everything is configured and maintained correctly.
Security that pays for itself
The money you save from recouping lost productivity from blocking unauthorized internet access by your employees will, in most instances, pay for the monthly cost of a complete turnkey security solution in one day, each and every month. It is rare that you can find such a good return on your investment dollars. For more information on the products/services in this article and a free initial technology consultation, please contact the partners of Justified Technology. They have combined, over 80 years of experience helping organizations of all sizes leverage technology to improve productivity, reduce risk and drive revenues and profitability. Check out our website for more information www.justifiedtechnology.com. Robert Slayton of Robert Slayton Associates is a Certified Identity Theft Risk Management Specialist. He helps implement employee policies and procedures to minimize a company’s exposure to identity theft. Contact Robert for a free initial consultation on your policies and procedures today. You could be eligible for free consultations, policy templates, and employee training! Find out whether you qualify. His website is www.robertslayton.com.
[1] Names and addresses with social security numbers, credit card information, patient health information
[2] Businesses should consult their liability insurance provider to make sure they have a technology rider on their corporate liability policy to cover losses associated with unauthorized access to their computer systems (including legal fees). This rider is NOT provided in standard coverage.
[3] Go to http://thomas.loc.gov/cgi-bin/query/z?c110:S.1178: for full text of this act.
[4] There are 31 categories in all that can be blocked including Adult/Sexually Explicit, Hate Speech, Gambling, Criminal Skills, Violence, Drugs & Alcohol, Shopping, Sports
