Did opening that email place your business in legal hot water?
By Beth Haddock
The email can arrive in your inbox cleverly disguised, appearing to come from your boss, a co-worker, or some other person, business, or organization you trust.
But click on a link or attachment as instructed and you could be in for a headache. You’ve just given cybercriminals access to your company’s data and potentially put the business out of compliance with federal laws and regulations about protecting that data.
Phishing attacks are one of the most common security challenges individuals and businesses face when it comes to keeping information secure. The phisher’s goal is to steal sensitive and confidential information. That information could include Social Security numbers, credit card and bank account numbers, medical or educational records, dates of birth, and mailing/email addresses.
That’s problematic, because federal regulations may require that your business keep certain information secure. Just as an example, health providers are expected to safeguard the medical records of patients under the Health Insurance Portability and Accountability Act.
Such compliance issues can create unwelcome complications for businesses, which is why they need to be proactive in addressing phishing. There are a few steps they can take to protect themselves.
Educate employees
The first line of defense against phishing is employees, because they are the ones likely to be targeted. Make them aware of the concerns, and tell them to be suspicious of emails that offer them links with little explanation or that ask for sensitive data, even if it appears to be coming from a trusted source.
Reassess who has access to data
Because employee mistakes are the most likely cause of a breach, retraining alone may not get the job done. A business or organization may want to take another look at who should have access to all that sensitive data and make adjustments where possible.
If a breach happens, take action
You can’t just ignore the data breach. Right away, your IT team needs to be notified so they can get to work handling the breach. At the same time, it’s important to immediately contact your compliance officer or attorney so they can take appropriate steps for reporting the breach to the proper regulatory agencies.
These “phishing expeditions” from cybercriminals represent a serious challenge for businesses and for their compliance officers. It’s critical to be aware of the threat and to know that there are steps you can take to reduce your risk and avoid finding yourself out of compliance with regulations that govern your sensitive data.
Beth Haddock, CEO and founder of Warburton Advisers, is the author of “Triple Bottom-Line Compliance: How to Deliver Protection, Productivity and Impact.”