Cybersecurity Errors Can Be Inadvertent and Still Generate Serious Fines
The human element remains a significant component of the risk in assessing cybersecurity standards and policies for your business. You can invest in the hardware and software to protect your networks, data and systems – however – it is equally as critical to invest in the training and procedures review.
A number of areas require consideration to ascertain your risk. The core areas are:
Use of personal mobile phones and tablets for business purposes
Use of personal email addresses (non-company domain – i.e. Gmail, Yahoo, et al)
Use of non-company cloud services, such as Dropbox, if they are not business sanctioned
This is where most inadvertent violations can occur in the name of convenience or efficiency. However, regulators and the rules do not leave space for this gray area. As we can see in a recent finding and fine by the Securities and Exchange Commission, a firm was using a virtual fax service where the email address for fax delivery was not a company domain email account. This resulted in six figure fines against this firm.
The firm in question may not have intentionally sought to use a non-company email address with the fax service, however, incoming faxes containing client confidential information were stored outside of the certified data storage for the firm. Thus not only was it not archived, but stood in violation of cybersecurity policies and procedures.
Bring Your Own Device (BYOD)
There is nothing inherently wrong with choosing a BYOD policy for your business. Yet it cannot be selected with an informal approach. Allowing employees to use personal devices requires you to think through your overall policies and procedures, but especially those relating to cybersecurity.
How will you secure business data allowed to be accessed and possibly stored on the personal device?
Can you archive and supervise the business activity on that personal device?
Can you insure, to the extent it is possible, that employees will only use authorized apps and methods to communicate and store business data
Email and Cloud Storage
Defending against inadvertent or purposeful use of non-company email and storage services can be a bit more challenging. Your published electronic communications policies, provided to each employee, can define what services to utilize as well as what platforms and techniques are off limits.
However, a core step you can take is by utilizing the reporting available in your archiving platform. If you expect to see fax traffic and communications from some or all personnel via company email, your archiving platform will present audit reports on volume of these communications in aggregate as well as by each employee.
You can take the steps, with your archiving vendor, to setup reports looking for faxes and related files/data that you expect to see in the archives.
When in doubt, take the time to assess how you handle mobile devices, email as well as cloud storage services to insure your company has a grasp on where you will need to defend yourselves with technology as well as policy.