The risks and costs of poor data security hygiene
The physical risks of data security often get overlooked, but they can still come back to bite you. The HealthReach Community Health Centers in Maine recently had to notify over 100,000 patients of a breach due to a simple hard drive disposal done wrong. Combined with this physical vulnerability is that of third-party errors, as it was just such an employee who was responsible for the improper disposal. Social Security numbers, medical insurance and treatment data were among the more serious bits of protected health information (PHI) and personally identifiable information (PII) that were compromised.
When multiple factors contribute to a breach, it underscores how fraught the situation can be, where it feels like you have to monitor everything – who has access to what, when and where, and are they following proper procedures so data security isn’t jeopardized like it was here. For instance, are they clicking on links in emails they shouldn’t be? Add these factors to other elements like ransomware and vigilance becomes even more imperative. After all, “the interconnectivity of different third- and fourth-party relationships is often hard to visualize and address,” says a recent study from RiskRecon and the Cyentia Institute, while also putting emphasis on prioritizing management of the most business-critical risks.
The outcome can be even more dangerous in the event of a multi-party breach. As the name suggests, these are breaches that ensnare more than one entity in their web, over 2,700 of which have been observed since 2008. Some of the most notable have been names such as SolarWinds and Accellion, as business support services and financial groups are among the top in this category, with millions of people’s data exposed. According to the study’s estimates, the financial damage incurred by these events can range from 10 to 26 times worse than an average breach, with some organizations not feeling the ripple effects for over a year.
Keeping this in mind, companies need to monitor and manage their own data security hygiene as much as they guard against external threats that could infiltrate their systems.