As explained in last week’s Security Tip, we advise businesses to assess how their staff, volunteers, and contractors are using portable wireless devices for business tasks. To get you started last week, we provided this template for your Step 1 Inventory. If this process seems burdensome, just keep in mind there could be a lot riding on it, as you’re about to see.
This week we’re on Step 2 of 3, Assessment. Now you’ll take a hard look at the devices – and their uses – that you listed in your Inventory. In this simplified version of risk analysis, you answer the following questions: What are the risks? What are the consequences? How much risk can we tolerate?
It’s best to bring in multiple viewpoints, so if you have two or three people who can team up on this, or if you can bring in an IT person, your results will be much better.
Question A: What risks do these devices bring to your business?
How are people using wireless devices?
If nobody in your organization uses a wireless device outside of your facility to do any work for you, then your risk is lower than most. But keep in mind, there’s also a risk if they connect their personal laptop, tablet, or smartphone to your network for their own uses. Your network should be designed to protect your business against malware from the personal devices of your visitors, employees, or volunteers.
What kinds of information are people handling?
Think about the people in your Inventory who use smartphones, tablets, or laptops for work outside of your facility. They are handling your business data; is any of it sensitive, privileged, or particularly valuable to thieves? Keep in mind, passwords are always valuable. The columns for Job Title, Work Tasks, and Applications Used will help you think about the types of information used by each person.
People who deal with sensitive information should be given rules about which applications they may use, how they may store passwords, and how they may connect to the Internet. Open public wifi connections expose your data to a high level of risk. Mobile phone data plans are low risk. Home wifi connections vary in risk level.
What regulations apply to this data and your business?
If you accept credit card or debit card payments, you must comply with PCI DSS. If your state has a privacy practices or data breach notification law, it most likely applies to your business. In certain industries there are other regulations, such as HIPAA or FERPA. To properly assess your risk, you’ll need to know the repercussions of not complying with state or Federal regulations that apply to your type of business. So, if you haven’t already, do some research on this; or contact us for a free initial consultation.
Question B: What are the potential consequences?
A data breach can lead to not only loss of data and the expense of notifying affected individuals, but also in some cases it may seriously harm those whom you serve. This will tarnish your good reputation. A breach may also trigger investigation by regulatory authorities.
Consequences of regulatory non-compliance vary. For example, in the case of PCIDSS, you could lose access to card processing services. In the case of HIPAA, there can be huge fines or even criminal charges.
Malware on your network can lead to ransom payment, permanent loss of data, remediation expense, interruption of your business continuity, or even failure of the business due to these burdens.
Question C: How much risk can you tolerate?
There is no such thing as zero risk. In this age of phishing attacks, wireless devices, and software-as-a-service, the goal is to reduce risk to an acceptable level. Several factors go into the equation, and there are trade-offs. For example, the safety gained by restricting use of wireless devices weighs in against the convenience of using them. And maintaining better security may require expenditures, which you will weigh against the potential expenses of a breach or malware crisis.
Your Assessment task here in Step 2 is to identify how much damage would be too much for your business and stakeholders. If a breach of a certain type of data would be catastrophic, then you and your stakeholders must take aggressive action to reduce the risk.
Next week: Action Plan
After you answer these questions, you’ll have the foundation needed to advance to Step 3. Next week we will help you wrap it all up with an Action Plan, which specifies guidelines, policies and habits to help your stakeholders protect your business.
Find links to your state’s laws on data breach, privacy protection, cyber-security, and related topics at the website of the National Conference of State Legislatures.