Questions & Answers:
What are some common ways companies find out about breaches they have?
There are many ways to discover data or privacy breaches. Some common ways are the most obvious such as noticing money missing from a bank account or the inability to access your data by you or your clients. In most cases, a company or individual may not realize there has been a breach until much later.
Are breaches more common on the employee level, or at higher, broader levels?
Breaches are much more common on the employee level, due to lack of training or information. However, these tend to be smaller in nature than breaches that occur at higher levels because employees at higher levels will have greater access to information.
What information is worth the most to hackers?
No information is inherently worth more monetarily to hackers. Often, the value in hacking is in holding the information ransom, blackmailing a company or individual or exposing a lack of security in an organization’s network.
How long does it generally take to recover from a severe data breach?
The answer to this depends on how well prepared an individual or organization is in advance. Companies who are well prepared through their policies, training, IT departments and breach simulations can recover in as little as 30 minutes. An entity that is not well prepared could take days or weeks to recover, or may never recover.
If the company is at fault or knows and attempts to conceal the breach, what kind of penalties will they face?
A company who engages in such an action will face a range of state and federal penalties based on the severity of the breach and the amount of information that was compromised. However, a company is much less likely to recover from such an incident due to the negative PR generated than from penalties levied by the government.
How difficult is it to identify 100% of the data that was compromised?
While this will depend on how much data you manage, generally it’s going to be exceptionally difficult to identify all the data that has been compromised. A company can make it simpler by compartmentalizing its data by categories and utilizing a variety of storage methods. That being said, hackers often will access data without stealing it, making the tracking of a breach much more difficult.
How can a company test its response plan in advance?
Utilizing breach simulators, internal IT members “in the know” can perform unannounced breach “fire drills.” This will help them gauge the reactions of employees in the event of a real breach.
Should IT be more focused on identifying threats or addressing vulnerabilities?
Neither. IT should be focused equally on these two areas, while emphasizing the necessary training to handle a breach above all.
What are some resources for following the latest news and trends in cyber security?
Three of the best sources are Gartner: https://www.gartner.com/en, The Ponemon Institute: https://www.ponemon.org/, and Advisen (focuses on the legal aspect): https://www.advisenltd.com/.
What is a good way to store passwords? Is a password protected file secure enough?
There are third party software providers (such as LastPass) that can help companies keep their passwords secure. However, even such companies are susceptible to breaches which can compromise their partners’ data. Surprisingly, hand written notes tend to be the safest method of password storage.
What legal penalties does an employee who is intentionally responsible for a breach face?
Individuals responsible for an intentional breach generally do not face much in the way of legal action unless they sell or otherwise redistribute the data maliciously. For simply accessing and/or destroying data, employee termination is generally the only penalty. It should be noted that this will depend on the employer, however most companies simply terminate the individual and move on.
Do you have any tips for using Outlook filters and rules to filter out potentially harmful emails?
Outlook rules can be useful but unfortunately are unreliable and may not always catch malicious emails. There are other things you can do to secure your email, however due to the extensive nature of this information, we ask that you please email Muhannad Malki at Muhannad.Malki@ioausa.com for further details.
Besides PHI breaches, are mandatory notifications likely to be required of any other industries or businesses in the future?
The breach notification guidelines outlined in the presentation, are not specific to one industry. The same laws and rules apply no matter what you do or sell. PHI is mentioned specifically because the guidelines for health related organizations tend to be more comprehensive due to the nature of the data they house and their exposure to HIPAA rules.
I want to be sure I heard you correctly, Novatime recommends only entering basic information in Novatime, Employee ID and Name, no other information such as a social security number or wages?
That is correct. The best practice for most situations is to minimize the data stored. Employee ID and Name are the only necessary items. While not needed, wage information isn’t really that useful to hackers, however you should avoid things like social security numbers unless absolutely necessary. That being said, it will be difficult to tie a SSN to an employee ID as it is assigned by the company. For more information on a case by case basis, feel free to contact Kyle Glave at Kyle.Glave@NOVAtime.com with questions.