At the end of January, the Coca-Cola Company announced that nearly 80,000 of its private records had been compromised in a data breach. Among other things, the records contained some 20,000 Social Security numbers and other private data for former employees.
The breach occurred when an employee assigned to destroy old laptops attempted to steal them instead. But what's most shocking is Coca-Cola's lack of proper security protocol and auditing. The company's lax standards provide two important reminders for IT professionals:
- You need to protect your company from employee errors (or dishonesty).
- Merely having a security policy is not enough. You need to have the infrastructure to enforce it.
Why Employees Are One of the Biggest Dangers for an IT Company's Security
When designing and implementing security protocol for your clients (or your own business), remember that one of the most common sources of a data breach is employee error.
Remember the Target data breach? Investigators finally figured out where the breach occurred: an employee's email account. That's right. Millions of financial records were stolen because one employee opened an email they shouldn't have.
The story is pretty incredible. It shows how unbelievably resourceful (and nefarious) hackers can be. Hackers sent a phishing email to an HVAC company that worked with Target. One of the heating and air conditioning employees opened the email, which surreptitiously installed malware on their computer. Also on that employee’s computer? Login credentials for key Target systems. Bam.
It's not uncommon for hackers to attack HVAC companies and other vendors because these companies often have some access to their clients' networks. The malware on the HVAC company's network was able to spread to Target's and cause the largest data breach in U.S. history.
So if one employee error can cause such a huge data breach, what can you do to prevent them? The answer: security audits.
The Real Thing: the Importance of Real Security Audits
No one likes the word "audit," and for good reason: it means a lot of hard work making sure you dotted all the i's and crossed the t's. But security audits are vital for preventing data breaches and avoiding an Errors and Omissions lawsuit.
What is a cyber security audit? It's when a company reviews the procedures it uses to enforce security protocol. A security audit should include a review of the following…
- Security guidelines for mobile use, password choice, and other potentially problematic areas.
- Training and security performance documentation.
- Data storage and encryption settings for all devices (even employee-owned devices).
- Network privileges and which outside users (vendors / contractors) have access to secure parts of a network.
- Security / activity logs.
- Security processes to make sure that people who dispose of devices provide documentation or confirmation that they’ve been handled securely.
If the IRS audits your taxes, you'll be asked to show a receipt for almost every expense you listed on your tax forms. That's the kind of thoroughness you should expect from a cyber security audit. This is also the reason so many firms don't perform security audits. They can be a lot of work and not every security process can be easily documented.
Could a Security Audit Have Prevented the Coca-Cola Data Breach?
For Coca-Cola, a security audit would have revealed some of the major issues that exposed the company to a data breach. A security audit would have found that Coca-Cola committed the following mistakes:
- Mobile devices / laptops contained private data. (To learn more about mobile threats, see the blog post "The Mobile Future and Why You'll Need E&O in It").
- Private data was not encrypted.
- Laptop disposal relied on employees, without asking them to document that they had securely disposed of the devices.
Amazingly, that's three separate security failures. Fixing any one of these problems could have prevented the breach.
Of course, security audits won't solve every problem or prevent every data breach. Employee errors and other security weaknesses will persist. That's why IT consultants and system administrators get Professional Liability Insurance (also called E&O Insurance), which covers your legal costs when a client is hit with a data breach and sues you.