A recent information security study by Cisco confirmed the age-old adage “loose lips sink ships.” The study surveyed over 2000 people including IT professionals and employees across ten different countries. Cisco found that insiders are still the biggest security threat to your practice, whether by accident, negligence, or on purpose. The study also warned that during times of economic hardship, employees are more likely to steal from their company to help provide for their family.
The study points out several common problems. Employees will often change settings on their computer to access restricted websites. This results in a loss of productivity and potential problems from malicious software. You should also verify employees don’t have access to data they don’t need, such as billing information, or your financial reports.
Sharing confidential information with outsiders is also a common problem. Be sure your staff knows not to talk about any patients they see during the day. This could cause problems for the patient and may result in lawsuits and HIPAA violations.
Sharing company devices, such as laptops, with friends or family members is also a huge problem. Even though employees trust their friends or family not to steal data, it is still possible for them unknowingly download a virus from MySpace or other sites, which could lead to data loss or theft.
Another key problem is employees leaving their computers logged in and unlocked when they are away from their desk for an extended period of time. While it may take a few extra seconds to unlock a computer, it is necessary to prevent unauthorized access. No one wants the janitor to surf around on their computer after hours.
Storing important data on USB thumb drives can also cause problems. Such drives are easily lost or stolen. If your practice needs to store information on USB drives, consider using a free encryption program, like TrueCrypt to encrypt your data.
There are two ways you can protect your data from the insider threat. First, be sure to have a clear information security policy that defines what is appropriate as far as data access, computer usage, and other important matters. Second, be sure to spend time educating your employees about their responsibilities regarding security. Knowing is half the battle, but monitoring and verifying your employees are doing the right thing is also very important.