A Business News Daily article profiles the problems IT professionals face when trying to find efficient and safe file-sharing solutions for their customers. As it points out, finding an IT solution is easy. Getting your clients to use their IT infrastructure securely – well that's another matter.
On this blog, we've discussed the ongoing problem of client education. One of the biggest liabilities that IT professionals have is from their clients using IT solutions improperly or adopting non-secure IT practices. (For some of our past discussions see "Don't Let Your Employees Cause Your Next Data Breach.")
Client-fueled security weaknesses can occur in a number of ways, including…
- Shadow IT (when employees use non-approved software, devices, and web services to perform work functions).
- BYOD liability (employees using personal devices on a work network).
- Misuse of approved IT solutions.
It's always important to remember that IT solutions are bit like owning a car. Your car might have air bags, seat belts, and other safety features, but a car is only safe when drivers know how to use it. As an IT professional, that means you should make sure your clients know how to "drive" your software and are able to use it securely.
The big question is: how can you teach you clients to use IT solutions more securely?
IT Risk Management: Guidelines for Client Education
As you know, proper data security isn't easy. It's not like there's a simple checklist of things you have to do each day, and once you do them your data is perfectly safe.
Instead, cyber security and data risk management are constantly evolving processes that require you to…
- Be aware of new risks.
- Understand the limits and security concerns with IT solutions you currently use.
- Act quickly to minimize risks when they occur.
- Maintain a healthy dose of skepticism.
It's hard to ask your clients to flip a switch and suddenly become data security experts. So what do you do?
You have to meet your clients halfway. You have to help them understand their risks, teach them to use their IT infrastructure securely, advise them about security pitfalls, and maintain communication with them to alert them about new threats.
Granted, all of this is easier said than done. Let's look at some of the common security threats that a client and their employees may unknowingly expose their business to.
6 Ways Clients Expose You to Data Breach Lawsuits
When you consult with clients, provide them with a reminder of these common data security pitfalls:
- Shadow IT file sharing (via email, Dropbox, etc.). It's easy to see why this can be an issue. An employee wants to send a file to another business, so they upload it to Dropbox or send it via Gmail. The employee thinks they're doing their job efficiently. However, they actually risk the company's data security. Many cloud storage sites and email programs don't encrypt their data at all times, which means the file they sent could be accessed by enterprising hackers. In many industries (legal and medical), this could also count as a breach of confidentiality and the company could be fined. (For more email security tips, see "Make Your Clients Safer: A Lesson in Email.")
- Flash drives. Thumb drives and other portable storage devices are like little data breaches waiting to happen. Not only do they make it easy for employees to accidentally expose a company's data (by losing a thumb drive or using it on a non-secure network, such as their home computer), but thumb drives can also bring in a host of outside threats. A thumb drive that an employee uses at home could accidently contain malware or other dangerous software that could expose a client's data.
- BYOD liability. As with thumb drives, when an employee brings their own device (BYOD) to work, they can bring a host of problems. For example, while the device was at home, an employee's child could have accidentally downloaded a spoof app that contained malware or opened a phishing email.
- P2P file sharing. Using P2P file-sharing programs can expose massive amounts of a company’s data. Employees may download these programs on a device they use for work and accidentally risk their company's data.
- Failing to encrypt data. Often, companies can encrypt their data simply by clicking the right settings. Say a company provides laptops for its sales team. The IT consultant who works for that company will need to change the security settings on those laptops to log out inactive users and automatically encrypt data. That way if the laptop is stolen, the data will still be encrypted. The same strategy applies for tablets and mobile devices.
- Forgetting to update software. This risk affects businesses more than consumers. Businesses tend to use older versions of software because they need it to be compatible with older enterprise solutions. Combine this with the fact that IT upgrades to a business are often more complicated, and you can see why many businesses are slow to upgrade. (For a recent example of this, see "Java Update Reveals Why Business Software Is More Vulnerable than Consumer Software.”)
These are only six examples of the kinds of threats your clients have. Remember that when a client uses sloppy data security, their IT consultant might be the one to suffer. Data breaches can lead to lawsuits filed against the security contractor, programmer, or other IT professional who worked on the compromised IT solution.
To return to our car metaphor, it's a bit like a driver suing the car company after he drives dangerously. Unfortunately though, that's how many IT lawsuits occur. Client errors lead to data breaches. Data breaches lead to lawsuits against IT professionals. It often doesn't matter that the client was partially at fault.
But you're not totally exposed to this risk. Errors and Omissions Insurance can cover the cost of a data breach lawsuit and other lawsuits clients file against you about your work or their data security. For this reason, countless IT professionals invest in E&O Insurance. It saves them from having to pay for a lawsuit out of pocket.
To find out more about E and O coverage or to receive a free IT insurance quote, submit an online insurance application.