I am worried you are not worried enough. The more I talk with Customers, the more I realize how unaware they are of the threats all around them. And it is not for lack of trying to explain. There are so many news stories, articles, videos out there explaining the threats. At pavliks.com we send out emails, hold online free webinars, tell our Customers in person when we meet. But that does not seem to be enough.
Why are people not listening? Understanding where your business is vulnerable is not someone else’s responsibility. It is not just your IT departments responsibility. It is not just your office administrators responsibility. It is everyone’s responsibility. It is your responsibility.
Take a moment and think about the following 3 questions.
1. What data do you have that might be valuable to someone else?
None is not an acceptable answer. Every business has data someone else wants. Think about this, if I was given 30 minutes to poke around your network would I find any of the following? Credit card numbers, yours or your clients. Did they email a card number for a one-time payment? Do you keep them on file for monthly recurring payments? Do you keep a copy of them for identity verification? Social Insurance Numbers. You have them for your staff. What about other people? Photo ID of your staff or customers. Do you use it for identity verification or legal reasons? Confidential Customer information they would not want others to see. Private sales history? Proprietary information about them that would be valuable to competitors? Banking information. Bank account numbers. Financial summaries. Salaries or bonuses. List of your Customers or Vendors.
I bet within minutes I could find some of the above info. That is valuable and sensitive information. Quite often when I ask a Client if they have valuable data on their network, they answer “No, and no one would want our data”. But when pressed to think about what information they actually store, they realized not only is the data important to running their business, it is private and sensitive personal information.
2. Have you taken reasonable precautions to protect that data?
This is not just a technical question of whether your data is backed up or password protected. I am talking about your business processes and actions that might make that data vulnerable. Do you give summer students the same access to your systems as a full-time employee? Is there a computer in an open unsecured location of your office? In the reception area that is often unmanned? A warehouse area that has unsecured access? Do you skip background checks on new staff before you give them access to your customer data? Do they have access to your data the first day they start work? Do you allow your staff to create simple passwords because “they whine and complain about how hard it is to remember a complicated password”? You may answer yes to some of these and have a good reason to. But what you need to do is assess what you are currently doing through the lens of current threats. Is it really acceptable that you consciously allow your customers sensitive information to be more vulnerable than reasonable because your staff “whine” about remembering passwords? The fault is on you if you allow weak passwords and a staff member's account is hacked. The fault is not on the staff member.
3. What would you do if important data was either lost or stolen?
“We have a new firewall and we just got everyone to reset their password to something complex. This can't happen to me.” Well what if… Someone left a laptop containing customer data in a coffee shop? One of your admin staff clicked on a bad email and had their account compromised allowing hackers to copy all your business data off-site? You misplaced a thumb drive (USB memory stick) and think it might have fallen out of your pocket?
If any of these happened it could be your legal responsibility to inform your customers their data was lost or stolen. You would then need to take steps to rectify the situation. Storing information about your Staff and Customers comes with the obligation to keep it safe. You should also consider the insurance angle. There are Cyber Threat policies you can get that help provide a level of protection should something bad happen to your systems or data.
I think what happens sometimes is that businesses’ think, “information security is an IT issue” when really it is a business issue that IT can help manage part of the solution. Make sure you take the time to really think about the 3 questions… What data do you have that might be valuable to someone else? Have you taken reasonable precautions to protect that data? What would you do if important data was either lost or stolen?
If you are having difficulty answering them honestly, give me a call. I would love to have a coffee and talk through these issues and provide some guidance and direction. I am passionate about spreading the word that your data is critical, any chance I get to help is welcome.