If you think your tire dealership doesn’t have to worry about a data breach, you’re wrong.
If your business has one employee, you have data. You have that employee’s Social Security Number, name and address. If you offer direct deposit, you have your employee’s checking account information.
If you accept credit cards as payment, or manage a mailing list to reach out to customers, the data in your business is piling up.
And it’s all susceptible.
That’s why businesses need to access their risks and create a preventative plan, says Jeremy Henley, director of breach services for ID Experts. Henley was the featured speaker of a recent data breach webinar hosted by The Tire Industry Association.
First, Henley offered a couple of important definitions. Every data breach starts out as an incident. An incident can be as simple as discovering a computer is missing, a filing cabinet is open, or finding a door left unlocked or open. Henley says it’s like a stranger walking in the door of your home uninvited. The person walked in, but didn’t necessarily take or damage anything.
A data breach, on the other hand, is when someone gains access to your computer system and destroys or uses the information they find to cause some kind of harm. They take the Social Security Number and steal someone's identity. They use banking information to hack into accounts.
Henley points to a Verizon Data Breach Investigations Report where 50 organizations reported 63,437 data incidents in 2013, which equates to 1,268 incidents per organization in that single year.
The volume of incidents is skyrocketing, and some industries suffer problems more often than others. More than 93,000 breaches in healthcare have been reported to the federal government since 2009. Because 97-99% of incidents don’t escalate to become breaches, Henley says that amounts to 1 million incidents in the health care industry alone.
Once organizations realize their systems are under attack, Henley says it’s important to have all the pieces in place. And he says there’s one thing every single business should do.
“If you do nothing else, do a privacy and security risk assessment,” Henley says.
That assessment includes four main points:
- Inventory your organization’s data so you can better understand your risk exposure.
- Review the privacy and security policies and procedures you have in place and look for gaps.
- Evaluate your security technology and controls
- Review insurance policies and look for data breach coverage.
Henley also warns against one common misconception. The security suggestions offered in an accounting audit aren’t the same as performing a data privacy and risk assessment. It’s an additional series of steps, but he says it doesn’t have to cost a fortune, or require the hiring of an expensive consultant. There are tools online to provide some instruction.
To hear more of what Henley suggests, review the webinar, “Anatomy of a Breach: Actions for Employers,” here: https://www.federatedinsurance.com/ws/fi/InsuranceResources/ssLINK/PROD_557832