Your information isn’t as safe as you think it is. Kelly Cory outlines the most frequent types of information theft and the consequences for your business.
Common Security Attacks
Theft of data, services and resources: stealing computer files, accessing accounts, interception of emails or internet transactions, stealing laptops or computers.
- tip: Secure and encrypt critical data.
- tip: Have only a cleaning crew come while you are present.
Denial of service: attacking computer or website (locks up equipment or crashes your system).
- tip: Don’t let your domain expire. People scan domains for expiration dates. When they find ones owned by companies which are about to expire, they monitor and wait so they can obtain them and either hold them for ransom or use them to promote their services. [Your domain name is a company asset!]
- tip: Review a website analytic program to keep track of who is viewing your website.
- tip: Have your domain and hosting set up in the company owner’s name, not the IT person’s or an employee’s, so they can’t take it with them if their employment is terminated.
Malicious codes and viruses: finds and sends your files over the Internet, can find and delete critical data, lock up your computer or system, hide in program documents or create hidden files, can install on your system and record your keystrokes.
- tip: Use strong antivirus and malware programs on all computers and smartphones.
Insider threats: Non-business use of computers may expose system to threats, disgruntled employees, vendors or subcontractors, unauthorized use or misuse of resources, illegal transfer or storage of information, compromised data (loss or alteration).
Other threats: spoofing, snooping, social engineering, abuse of system privileges, ransomware, insider threats, phishing, spear phishing, spam, compromised websites
Repercussions of Attacks
Cost in time and money, stop/slow work and workflow, network crashes or lockouts, shuts down email communication and electronic commerce, embarrassment or diminished credibility, repair costs, legal expenses, misinformation, loss of business, out of business, loss of public confidence in business.
The cost of protection significantly outweighs the potential loss. Making the effort to protect your company’s information reduces your risk and provides protection against liability.
What happens if a virus or other malicious program compromises one of your computers and steals sensitive information? Losing control of employee health information, employee personally identifiable information, customer financial information, investigative subjects’ personal identifiers, or logins for restricted private investigator databases could easily result in identify theft for employees, customers or investigative subjects.
It’s not unusual for business owners or managers to be unaware of the financial risk to the business in such situations. It is important to understand that there are real costs associated with not providing adequate protection for sensitive business information.
Consequences
- Direct legal liability – trade secrets, lawsuits covering improper disclosure of data, breach of contract, etc.
- Non-legal liability – business interruption, data loss/corruption, damaged public image and reputation, increase in insurance premiums or cancellation, loss of employee productivity.
- Indirect legal liability – copyright infringement, illegal storage on your network system (child pornography or other illegal materials), aiding & abetting (where a network is used to attack another network).
- Regulatory Consequences-GLBA, HIPAA, SOX, FACTA
Expectations
Customers expect that businesses will safeguard their private information, and that it will not fall into the wrong hands. If a business accepts credit cards, it should be PCI DSS compliant. If a company handles medical records, it should be HIPAA complaint. And of course, private investigations firms’ records require special protection to maintain confidentiality. Investigators are expected to keep that sensitive personal information secure and confidential.
Due Care (planning) and Due Diligence (taking action)
In protecting their information, it’s a company’s responsibility to conduct due diligence. They must first implement “due care”—the care and forethought that a reasonable individual would exercise under the circumstances. This includes planning for information security and being thorough when protecting your business, as well as staying up to date on the topic of cyber-security.
Due care is the standard for determining legal duty. Should you be the victim of a security breach, you must be able to demonstrate that you took due care in information security in court to defend against negligence in a lawsuit.
“Due care means it is time to leave behind amateur efforts” –Justin Tsui of Team Logic IT
Due diligence is the effort made by a reasonable individual to avoid harm to another party. Failure to make that effort may be construed as negligence. It’s crucial to stay updated on all industry-recognized information-security best practices and make changes accordingly.
Information security is an ongoing journey, not a final destination.
See also: Part 1—Information Security for Private Investigators
About the author:
Kelly Cory is president of Keystone Investigative Services, Inc.
The author is independent of any specific company, program, or software that would benefit from the promotion of this information. This article is meant solely as an informational piece to help educate others on how to protect themselves and their companies. Any recommendations and tips should not be construed as legal or professional advice. Should you have any specific questions or concerns regarding your information security, contact a trained IT professional.
This article is a compilation of information gathered across various sources, from industry professionals and workshops and includes information from NIST and Team Logic IT as well Keystone Investigative Services, Inc.