Cyber Security: Best Practices

As more and more of our communication and businesses are run in the cloud using electronic means and software, the need to maintain the confidentiality of electronic  information, such as passwords and personally identifying information, becomes crucial for businesses and employers.  We have all read about the number of data breaches that occur both for consumers, employees, and individuals, and have seen the impact on large organizations who are held hostage when their data is seized and a ransom demand is made.  Given the importance of this issue and the major impact that it can have on an organization or an individual, it is important to ensure that best practices for cyber security are implemented by all businesses. 

            Addressing the issue of data security occurs at many levels from the most basic to the most complicated.  Initially, when looking at your cyber security data and determining how to protect those resources, you need to take an inventory of the data and information that you have stored on your computers and your systems.  This inventory should include an identification of the data that is collected from customers, employees, and others; a determination of where that data is stored; and, finally, an accounting should be made of who has access to that information and how the information is accessed.  As part of this evaluation, it is important to ensure that you are only seeking protected information that is necessary for your business and that you do not request more information than is needed to conduct business.  It is also equally important to determine who has access to that information and why.  When dealing with cyber security and personally identifying information, less is more.  Only ask for the information that you really need, only store that essential data in a secure area, and only grant access to that data to those who truly have a business reason to see it. 

            Once you have taken the initial step of inventorying the information that you have and identifying the access points for that information, it is important to learn about the safety measures that you have taken to protect that information.  Simply storing information on your computer system in folders or restricted areas is probably insufficient in terms of protecting personal data.  It is important to determine whether sensitive personal information is properly encrypted, that access to that data is logged and reviewed to ensure that thee are no unauthorized attempts to review that data, and that employees are using strong passwords and are not accessing the data in such a way that it becomes vulnerable to hackers. 

            Finally, it is imperative that businesses and organizations have a plan when faced with information that a data breach has occurred.  This plan should include a definition of what constitutes a data breach; what happens when a breach occurs; and an understanding of the legal obligations when faced with such a breach.  Under state and federal laws related to cyber security, employers and entities are required to notify individuals when their personal data has been breached on the organization’s systems.  The level of notification and the response depends on the severity of the breach and the type of information that was obtained as a result of the breach. 

            Developing a plan and/or understanding of your responsibilities to protect against data breaches and how to respond to data breaches cannot and should not be done in a vacuum.  When dealing with issues, such as a cyber security, that can lead to liability and compliance problems, it is important to engage a team of trusted experts to assist you in ensuring you are following best practices for both your own protection and the protection of your customers and employees.  The team of experts should include legal counsel who can assist you in understanding your obligations under the law and help you develop policies and procedures regarding data security.  You should consult with cyber security experts who can share with you how to encrypt and otherwise protect the data that you store on your systems.  These consultants can also help you determine if your system is robust enough to protect the data that you maintain on your customers and employees.  As with other areas of business where there is a risk of liability, you should contact your insurance agent to ensure that you have coverage under your existing insurance policies for cyber security breaches and, if not, should help you obtain such insurance.  Finally, because these breaches often become matters of public interest, you should have a crisis manager that you can consult with to assist you in making any necessary data breach notifications. 

            The first step in addressing cyber security concerns is to develop comprehensive policies and procedures related to the definition and storage of personally identifying information and the access to that information.  MyHRcounsel can assist you in this process.  The second step in implementing best practices related to data security is to provide regular and rigorous training for your employees to ensure that they do not inadvertently or intentionally engage in conduct that can lead to cyber security breaches.  This training should include a discussion of the use of personal electronic devices to access company systems and information and how to avoid falling prey to phishing and other scams.  Finally, best practices require an established game plan on how to respond to a breach should one occur.  This plan will include how to identify and investigate the extent of the breach, the source of the breach, and the legal obligation on how to notify those affected by the breach. 

            Technology is a blessing and a curse.  Those who seek to be blessed by technology, in terms of the streamlined data storage systems that allow for immediate access to employee and customer information from anywhere, must also accept the responsibility for ensuring that the technology is not vulnerable to hacking and unauthorized access and that personally identifiable information is not compromised. 

For more information on HR and cyber security, we hosted a 3-part webinar series with Black Bottle IT, and you can watch the recordings.