“Let’s get Physical”
Acknowledging that good Cyber Security starts with addressing any “physical or tangible” information breaches is the best first step toward achieving a higher level of security for your company. This article will address physical areas that should be considered when looking at the overall Cyber Security health of your organization.
1. Vendor Management – When contracting a 3rd party who will have access to your office and physical client data/NPI, you become responsible for any risks posed by their activities. These vendors include, but are not limited to: cleaning services, trash/waste services, shredding companies, alarm companies and copier maintenance companies. It is important to have a vetting process in place to get to know your vendor, ensure they meet any regulatory requirements and are protecting your most valuable asset - your reputation. Key elements of your due diligence process should include:
a. Make sure you are dealing with a licensed and registered business. Get a copy of their business licenses and check it’s standing online.
b. Verify their reviews.
c. Gather information on their general liability insurance, cyber insurance, or insurance specific to their services.
d. Have them sign a Non-Disclosure Agreement (NDA) and Confidentiality Agreement.
2. Visitor Protocols
a. Know who is in your office and why.
b. Have visitors present their credentials, sign visitor log and state the service they will be providing.
c. Only allow visitors in the areas needed for their particular function.
d. If the visitors are service providers, then make sure you have a privacy protocol in place for them to review, as well as receiving their privacy protocols for your review.
3. File Management - In most instances, several people may be working on files simultaneously. Thus, it is important to have best practices in place to ensure the integrity and privacy of the transaction from start to finish.
a. Assure that all computers and laptops are locked or shut down when not in use.
b. Lock doors to internal offices, desks & filing cabinets when outside vendors have access to the main office.
c. Never share passwords or use common/same passwords with others, and change passwords frequently.
d. When files are shared on a network, review shared settings often to determine access privileges. If access is not needed for an individual, delete or de-activate sharing capabilities.
e. Archive files in an encrypted environment when the transaction is completed.
f. Physical files should be secured in closed filing cabinet when employees are not physically present.
4. Clean Desk Policy and Conference Room Protocols - Computer screens and equipment, paper documents (including post-it notes), white boards, and chalk boards are all vulnerable to unauthorized exposure of NPI by anyone who has physical access to the workspace. Oftentimes it can be impossible to know who accessed the exposed NPI, and what the intentions of the culprit might be. Making sure employees are aware of the dangers, with the precaution of a clean desk policy, clean screen policy, and conference room protocols can help to prevent these unnecessary breaches.
a. Things to consider for a clean desk policy
1. ALLOWED: Landline phones; laptops and computers; files when actively working on them.
2. PROHIBITED: iPhones or android phones with the capabilities of taking photos; access cards to the office or building; keys to the office.
3. Implement use of screen blockers for computer screens and personal handheld devices to eliminate “visual hacking.”
4. Locking your computer or turning it off when leaving your desk.
5. Notify management and security immediately upon discovery of lost or stolen items.
b. Things to consider for conference room protocols. Conference rooms are often the place where the most NPI is shared among participants. Complete purging of all information needs to occur.
1. Clean up any leftover notes or paper left on the table or thrown into the trash can.
2. Erase notes on the white board, if applicable.
3. Check to make sure post-it notes have not been left behind with information written on them.
4. If there is a dedicated computer or laptop make sure it is locked and secured prior to leaving.
5. If meeting is breaking for a period of time and participants are leaving the room, make sure the conference room is secured without access to others, or that any items with confidential information is put away.
5. People Risk Management - When people are under financial pressure they can act or do things that are out of character, – taking chances in order to feel financially secure once again.
a. Financial stress considerations:
1. Watch for employees that may be showing signs of abnormal behavior, such as not finishing tasks completely, showing signs of depression, exhibiting lower work quality, demonstrating high agitation with others, asking for pay advances, etc.
2. Have resources to direct them to for assistance – do not ignore these symptoms.
3. Conduct employment background checks at regular intervals.
In conclusion, security breaches of NPI or private and sensitive information happen not just in the cyber world, but also in the physical, tangible data environment. It is important to keep vigilant in your security practices in both realms. For further information regarding how to protect yourself, your business and your employees, we have included the below articles:
1. Vendor Management: Office of Compliance Inspection and Examinations, Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features
2. Visitor Protocols: Blog: 9 visitor policy basics to keep your business secure
3. File Management/Access: 6 Simple Ways to Ensure Data Access Governance for File Server
4. Clean Desk Policy and Conference Room Protocols: List of security templates available from SANS Institute
5. Forensic Investigation: Blog: What Does a Cyber Forensic Investigation Do and How Much Does it Cost?
Article by the Cyber Security Committee
Back to Industry News.
