The list of potential human-error risk factors is longer than expected:
- Administrator system misconfiguration
- Not updating systems appropriately
- Not managing system patches
- Default password usage
- Default user ID usage
- Lost devices
- Misplaced devices
- Unlocked devices
- Incorrect disclosure procedures
Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees so that organizations are able to mitigate data breaches caused by human error.
- Education from the Top Down: This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing risks.
The development of policies and procedures on cybersecurity is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is essential in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.
- Hire Well: Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization while trying to implement security controls. When recruiting individuals, management should be certain that employees understand the concepts behind both breach prevention and management in the event that a breach does occur. In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.
- Develop an Exit Strategy: It is just as important that employees are educated in cybersecurity as having an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.
- The Less Data, the Better: Since cyber criminals can only steal information that an employee or organization has access to, one of the major ways to minimize risk is to limit data availability:
- Reduce the amount of employees that have access to at-risk information.
- Don’t collect information that isn’t relevant to your business.
- Reduce the number of places where data is physically stored.
- Only grant data access on an as-needed basis, and revoke access as soon as information is no longer necessary.
- Purge data early and often! (More on this next.)
You minimize potential risk when you minimize the amount of access that individuals have to data.
- Purge Your Data Properly: It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.
Too often, employees think that they are getting rid of all of their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.
- Monitor Your BYOD Programs: BYOD, or Bring Your Own Device, is a program where employees bring their own technology (think: computers, tablets, cell phones, etc.) to work. Many organizations have moved to this type of program so that employees are able to use technology that they have a better understanding of. This reduces training time and increases productivity.
However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.
In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.
By implementing strong BYOD policies that force employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent potential cyber-attacks. These programs should emphasize or consider:
- Password and device-encryption requirements
- Update and patch requirements
- Lost or misplaced device notification for emergency response and remote data-wiping
- Utilization of tracking software
- Establishment of secure app workflows
- Anti-malware software
- Jailbreak prevention
- Device partitioning
The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.
- Secure Your Networks: Employees are constantly on mobile devices these days, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.” Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.
- Update Software with All Patches and Updates: Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions.
- Develop “Appropriate Usage” Guidelines for Company Technology: Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.
- Hold Outside Vendors to the Same Standards: By only working with organizations with the correct security and regulatory designations, you are able to prevent cyber-risk by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations, or function outside of governing bodies with strict regulation, it is not be cheaper than the consumers that are loss due to a data breach. At the end of the day, if your vendor makes a mistake—it is your clients on the line, not just theirs.
- Prepare for the Worst: Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen. While all of your preparations can help you to prevent cybersecurity breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.
- Test Out Your Disaster Management Plan: Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach, and troubleshoot problems with your protocol before it is a reality.
- Audit Your Organization Regularly: By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocol prior to an issue.
- Notify Early and Appropriately: If your team even vaguely believes that there was a potential breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.
The sooner that your team is able to response to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.
Report Cyber Crimes
The frequency of phishing schemes is growing at an alarming rate. ALTA encourages members who receive these types of emails to report the incident to the FBI’s Internet Crime Complaint Center, which is used to track trends in criminal activity, at www.ic3.gov.
Additionally, the FTC encourages companies to forward phishing emails to firstname.lastname@example.org — and to the company, bank, or organization impersonated in the email. Reports are most effective when they include the full email header, but most email programs hide this information. To find out how to include it, type the name of your email service with “full email header” into your favorite search engine.
You also can report phishing email to email@example.com. The Anti-Phishing Working Group — which includes ISPs, security vendors, financial institutions and law enforcement agencies — uses these reports to fight phishing.
To file a report with FTC, go to www.ftc.gov/complaint.
Blaise Wabo is a managing consultant at A-LIGN, which focuses on performing SSAE 16, SOC 2 and ALTA Best Practices certifications in the title insurance and settlement industry. He can be reached at firstname.lastname@example.org or 888-702-5446 x129
Copyright © 2004-2016 American Land Title Association. All rights reserved.
This article has been used and reprinted with the permission of The American Land Title Association. The material is for general information purposes only and is not to be relied upon or used for any particular purpose. Title Industry Assurance Company, RRG and The American Land Title Association shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.