Protecting your digital assets

You’ve launched your senior care facility’s social media initiative, and now you’re proudly marketing yourself on Facebook, Twitter, LinkedIn and/or other online media. But who’s minding those new doorways to your digital assets?

Every organization knows there’s a crucial balance between online marketing opportunities and data risk management. Knowing what your IT responsibilities are in the new online world can help mitigate risk when it comes to protecting your electronic data. Perhaps no one knows more about hackers and the protection of digital assets than Theresa Payton, founder of Fortalice, who spent 2006-2008 protecting one of the most-targeted IT systems in the country—The White House.

Today’s online and mobile world means there’s more data to protect, outside your own walls. The execs and IT staff need to have a conjoined plan to protect the company’s digital assets, a plan that will protect the “Big Three” assets without crippling the rest of your online marketing endeavor, Payton told attendees at the 2013 ALFA conference in Charlotte, N.C.

Some sort of check against identity theft would be an added plus, she adds, simply as a fact of the elder-care industry: The elderly are among the three highest targets nationally for identity theft, especially for healthcare billing fraud. “Cutting-edge technology can’t help you if you don’t have the IT processes and rules-based safeguards in place,” she says.

Your data is your primary asset: And it may be more important that any staffer or exec. So, what data do you need to “watch”? Resident records, medical records, financial records? All of these, Payton says. New malware pops up every day, and hackers have no rules, she warns: “Every 90 seconds, someone comes up with some way to get around the lock you’ve created. And for most victims, the first indication they get is a knock at the door.” Then remember the number 243: This is the national average of how many days a hacker has been inside a corporate security system before anyone is aware of it, she adds.

But any company’s internal data security efforts must still be balanced with the need of workers to do their work, she notes. Today’s “always available” mobile world can be a very lucrative one for companies, but also a risky one. The key, she says, is: Are all segments of your business on board for handling secure online initiatives without putting your company at risk? Can you handle the employee “bring your own” devices that are quickly becoming today’s de facto for getting the daily work done?

The data security to-do list

  • Hold a meeting to decide: What data would be most dangerous to be compromised; i.e., making you unable to exist or to be liable for more fines/liability than you can handle?
  • Analyze your log protocols. For many companies, a 60-day active log isn’t long enough, Payton says.
  • Conduct employee security traning at least twice per year. And perhaps rethink your whole corporate training method. Most companies’ online security training programs (even if offered yearly) are “so ridiculous” that adept social engineering tactics can easily break though employees who have been trained, Payton says. It’s in your company’s best interest to ensure that your employees have retained what the training has shown them.
  • If your company allows “bring your own” devices, consider putting audit-trail tracking in place for those devices for continuous spans of at least four months.
  • Work-at-home staff may be a fact of life at your organization. But your IT system must protect your “work at home” people the same way it protects the in-office workers.
  • Grill your vendors, including the cloud-based ones. Make sure they can provide the data trails you need.

DATA BREACH PRACTICE

No digital assets security plan is meaningful unless it has “worst-case scenario” practice sessions in place. It’s simply a routine part of any company’s corporate risk plan, or it should be, she says. Good digital asset security includes an action plan if a digital breach occurs. “Digital disasters happen to really smart companies. But if you spend some time doing this as practice, you’ll be much better off,” Payton says. “You may think this is solely your CIO’s job, but it isn’t.”

Payton suggests holding an executive meeting solely to discuss digital assets and what should be done to protect them. “When we talk about new technology, and vendor access, and user IDs and passwords and access controls, let’s talk about these and nothing else. You have to get your ‘Big Three’ digital assets down, so you can decide how to protect them.” It’s no good waiting until a breach has already occurred, she adds: “We can always hope that [hackers] don’t realize what they stole. But hope isn’t a very good strategy.”

THE CEO/CIO STRUGGLES

People over age 65 are now among of the nation’s largest targets for fraud, so there’s no rest for the weary. “The [computer] criminals have an innovation cycle of half a day. But your execs may say, ‘when are we going to be done [with security]’? You’re not done. You’re never done.”

The long-term care industry has several data security lacunae, Payton says. “Companies have not sat down to name their top three digital assets to protect. Then, the company’s executives are saying, ‘Are we done yet?’ and they don’t have an understanding of the criminal-ware side.”

So, what are your three top assets? Think of the “things that will land you in jail or make you cease to exist, or your customers will never trust you again,” Payton says. “No IT department can protect everything, so figure out what your top three digital assets are.” Behavior change must come from the top down, but the organization’s security ultimately takes place at the employee level—one employee at a time.


Topics: Articles , Disaster Preparedness , Technology & IT