While perusing the web earlier this week, I came across a small article called “Blue Shield leaks social security numbers”. This short segment went on to mention that Blue Shield inadvertently included social security numbers within a report that was posted to the public domain. Apparently, it wasn’t the first time. They did the same thing a few times, again without realizing that they were exposing confidential data.
From what I could understand from the limited information, the original report did not contain the social security numbers. Somehow, it was added afterwards and posted on the web. Subsequently, personnel probably just kept using the prior report as a template and updated it as required.
During my career, I’ve had the opportunity to speak to many individuals from different companies (large and small) as well as perform business and financial analysis for some of them. I can tell you first hand, that many office operations are lax when it comes to controlling information, giving criminals ample ways of stealing and using it.
I don’t know the particulars about what happened in the Blue Cross incident, so I cannot comment on it. However, simple observation in many office operations will show client and employee information unintentionally exposed to other employees and office visitors.
You would think that in this day and age with all of the reports and news stories about identity theft, cyber-crime, etc. that businesses would start to enact internal controls on how they handle confidential data. Exposing someone else’s social security number is serious since it is tied to a person’s identity and is the key to personal information.
Question: How many times do you see individuals scribble something while on the phone on pieces of scrap paper and throw it in the waste basket when done? What was on that discarded piece of paper? A telephone number? Credit card number? Social security number? A person’s name with a date of birth?
Periodically, you should quietly observe the goings on in your office and pay particular attention to how documents and information are used and handled:
- Are documents left on desks while employees are absent?
- What information is on those pieces of scrap paper in the waste basket? After hours — take a look. This simple test may be an eye-opener!
- Are computer screens viewable? Can you read the content from different angles? Do people leave documents opened on their screens when not at their desks?
- How do the desks look after hours? What hard copies of documents are left on them? Are documents left opened on the computer screens? Are the file cabinets locked when everyone goes home at night?
If you’re shocked after your initial observation (and most managers are the first time), then take these steps for starters:
- Immediately institute a Clean Desk Policy. No company, client, or employee information should be left exposed during the day and certainly not after people leave in the evening. All information should be locked up when not in use. Conduct periodic surprise Clean Desk Audits to ensure compliance.
- Shred any pieces of paper with client or employee information. Only use micro-cut shredders to completely destroy hard copy information. Educate staff on why this is important.
- Position desks so that computer screens cannot be seen by anyone standing or passing behind them. If necessary, install Privacy Screen Filters to prevent monitors from being viewed from the side.
- Require that all important documents, especially those containing confidential information, be saved to the company’s server only. Do not allow anyone to save important documents on their workstation where they can easily be compromised, hacked, and unavailable to management when needed.
- Have strict policies on what type of information can be sent outside of the company to clients, vendors, etc. Make sure everyone knows what information they should never give out and immediately refer such requests to management. If someone is unsure whether they should divulge a piece of information, they should refer the request to management.
- Educate staff on social engineering scams — how to recognize them, what they should do if it happens to them, and how to immediately report them to management. Make sure they know not to blindly click on links within emails, especially when they do not know the sender. Email is the most common way for criminals to spread viruses and malware.
- Make sure anti-virus applications are active and updated and that every workstation is protected. Run full scans frequently. Although anti-virus software is the second line of defense (people are the first), criminals are creating so many variants that you can still get badly infected even if your software is up-to-date. Everyone must practice safe computing.
- Have your network monitored and maintained by a Managed Services Provider (MSP). Traditional break-fix firms do not provide the level of service that businesses need to fully protect themselves and keep systems up and running. Yes, it’s more expensive; there is a reason for that — the level of service is much higher, more comprehensive, and better aligned with your company’s profitability goals.
- Depending on your industry, management should have detailed procedures on what internal measures are to be taken when confidential information is exposed and the Government and Law Enforcement agencies that need to be notified.
Protect your company by having written policies and procedures in place and make sure everyone in the office are aware of them. When everything is said and done, it’s management’s job to set the direction of the company. Implement the above actions and more importantly, enforce the rules.
XSolutions is a Managed Services Provider (MSP) and provides 24/7/365 remote monitoring, scheduled workstation and server maintenance, Help Desk Services, Cloud & Hosted Services, Backup/Disaster Recovery, and Software Development. Call us at (845) 362-9675 and see how we can help your company.