By Beth Haddock
The e-mail can arrive in your inbox cleverly disguised, appearing to come from your boss, a co-worker, or some other person, business, or organization you trust.
But click on a link or attachment as instructed, and you could be in for a headache. You’ve just given cybercriminals access to your company’s data — and potentially put the business out of compliance with federal laws and regulations about protecting that data.
Phishing attacks are one of the most common security challenges individuals and businesses face when it comes to keeping information secure. The phisher’s goal is to steal sensitive and confidential information. That information could include Social Security numbers, credit-card and bank-account numbers, medical or educational records, dates of birth, and e-mail addresses.
That’s problematic because federal regulations may require that your business keep certain information secure. Just as an example, health providers are expected to safeguard the medical records of patients under the Health Insurance Portability and Accountability Act.
Such compliance issues can create unwelcome complications for businesses, which is why they need to be proactive in addressing phishing. Here are a few steps they can take to protect themselves.
Educate employees. The first line of defense against phishing is employees, because they are the ones likely to be targeted. Make them aware of the concerns and tell them to be suspicious of e-mails that offer them links with little explanation, or that ask for sensitive data, even if it appears to be coming from a trusted source.
Reassess who has access to data. Because employee mistakes are the most likely cause of a breach, retraining alone may not get the job done. A business or organization may want to take another look at who should have access to all that sensitive data, and make adjustments where possible.
If a breach happens, take action. You can’t just ignore the data breach. Right away, your IT team needs to be notified so they can get to work handling the breach. At the same time, it’s important to immediately contact your compliance officer or attorney so they can take appropriate steps for reporting the breach to the proper regulatory agencies.
These phishing expeditions from cybercriminals represent a serious challenge for businesses and for their compliance officers. It’s critical to be aware of the threat and to know that there are steps you can take to reduce your risk and avoid finding yourself out of compliance with regulations that govern your sensitive data.
Beth Haddock, CEO and founder of Warburton Advisers, is the author of Triple Bottom-Line Compliance: How to Deliver Protection, Productivity and Impact. She has more than 20 years of experience as a compliance and business executive, and her consulting firm provides sustainable governance and compliance solutions to leading international corporations, technology companies, and nonprofits.