Lesson 10 of 11
In Progress

Data Breaches and How To Protect

Collin Gabriel August 23, 2022


Craig Vattiat (00:00):

So let’s take a moment to look at how breaches happen. Um, they happen for two major reasons. One is because the entity carelessly or unknowingly gives away the data, you know? Right. It might just be a mistake or two criminals exploit a weakness in security. Right. And so, um, those are the two ways that breaches happen and the causes for those types of breaches, um, are kind of listed here. Right. So, you know, when it comes to disposing data, think about how you dispose of that. Um, again, if it’s, you know, job notes or, um, something on, you know, an order that has some of that data on it, um, how do you dispose of that? Do you maybe provide, uh, do you maybe tread it internally? Do you maybe take it to a shred facility, burning it as another option? Um, accidental ex disclosure might happen, uh, simply by sending the wrong customer, an email or a letter, you know, that’s meant for somebody else.

Craig Vattiat (01:05):

Um, that could be an example of accidental disclosure. If you use a tablet or a laptop and, you know, you just keep that in your truck or maybe it’s, uh, in the trailer on a job site. Is it secure? Uh, do you lock it up whenever you step outside of the trailer? And then if you have employees, are they using caution in the way they access customer data? Are they following company policies? Um, moving on to password passwords are notorious. Uh, we don’t like changing them and remembering them, but it’s a real area of vulnerability. And so more and more businesses are using multifactor, you know, two step verification, so where you, you know, log into your computer, but then it requires a code that you would then access through your phone by, um, you know, using the, the verification, um, app, let’s say on your phone, that’s a multifactor, um, Verifi process that really can, can help secure your computerized data. Um, and then finally there, if you have inadequate system protection or system monitoring, so those would be things like firewalls, which would, you know, protect your, your network, um, password protection, again, multifactor authentication and, and backup systems to help protect, uh, against those breaches. So that might be something where you need to work with a, you know, a service provider to help you look at your options there.

Collin Gabriel (02:41):

You know, I, uh, on that last slide, I, I actually have a couple anecdotes, uh, even one recommendation. So, you know, in our little, uh, program here, we, we have a pretty hefty gardening, uh, section. And one thing we, me and my son do is we, we shred documents or cardboard and we put it into a worm bid. So you could even turn those sensitive documents into great soil for your garden. <laugh>. And then the second one, um, is, you know, one thing I have seen in the past, and I think, um, a lot of small businesses might not have these concerns, but, um, you know, people who have employees, if you are, um, your computer system goes down or you have a POS system, a point of sales system that, um, goes down and you’re writing down credit card information on a piece of paper or something like that.

Collin Gabriel (03:30):

It’s, uh, you know, it’s very easy for a lot of people to forget about that information, cuz they do it in the moment, especially like I I’ve seen this happen in front of my face at, um, farmer’s markets when someone’s phone isn’t getting service or something like that, they’ll be like, well, we’ll just write down your credit card information and then I’ll charge it in a moment. You should see the charge show up. And every time that happens, I’m like, well, I’ll just wait, I’ll just come back. But, um, if that does happen and they do write down the information, you know, if you are an employer where you, you think that could happen to you, it’s a good thing to talk about that with, uh, the folks who could be helping out and tell them that we dispose of this information immediately, because that would put you at risk. I’ve always had a fear of that when I see that happening.

Craig Vattiat (04:13):

Yeah. And that ties in really, uh, great call to kind of information here, which really is about how you safeguard that. So if you do have a situation where you need to do that, you know, that, that you have a company policy in place that really clearly describes how to, uh, kind of follow up on, on that, uh, process of maybe handwriting down credit card numbers. Yeah. Yeah. So, uh, yeah. So how do you safeguard your information? Um, a lot of this information comes right from the FTC. Um, there’s a couple of resources listed there that are really great, uh, specifically for businesses as well, um, about how to assess. So take inventory of all the information you have by type and location. Uh, not only on computers, but also in paper files. Um, this again might include how you receive personal information through websites, um, from contractors or other companies you work with and then be sure to know who uses that information.

Craig Vattiat (05:14):

Um, and what sensitive information is stored on those, you know, various again, that might be your work computer. It might be an employee’s home computer, your cell phone. Um, and then look at the effectiveness of the existing security safeguards to see if there’s any foreseeable, external risks with your network, uh, or the software that you use. Um, again, if this is something that you don’t feel like you have the capability to do, then shop around for service providers that can help you to do that assessment. The second piece here is to reduce the amount of sensitive data you collect, you know, as a simple rule, if there isn’t a need for it, then just don’t collect it because that exposes you to that risk. Um, you can develop a record retention plan, you know, that includes kind of what to keep, how it’s secured, how long you hold onto it and then how to dispose of it. If you do have electronic equipment that you need to dispose of Oregon has an E cycle program that you can, uh, access to make sure that that electronic equipment is safely and securely disposed.

Craig Vattiat (06:25):

The third step is to protect what you do keep, uh, you know, consider not only the physical security, but also that electronic security, your employee training practices, and then contracting with those service providers who might help you to manage some of that. Um, so some ways that you can do that, you know, secure paper documents in a locking file cabinet or a room that has limited access, um, use encryption to make sure that digital information is, is more secure. Um, you can designate an employee to coordinate the training of other employees. Um, and then another simple example, you know, using a lock screen, when you walk away from your desk, taking the moment to lock your screen. So that let’s say, if you need to move into a back room, um, there isn’t the opportunity for someone to access, uh, your computer.

Craig Vattiat (07:23):

If you do decide to use, uh, what’s called a third party customer relationship management system or CRM system, really make sure that you’re working with that company to understand what your liability is and what their liability is. Um, you know, how do they safeguard that data and how do they respond to breaches? So that’s an important consideration. And then lastly, um, to detect, to monitor and regularly assess the risks. You know, it’s not something that, again, you set up and then you just kind of forget about until a problem happens, but test those systems, those procedures to identify vulnerabilities and then ways to protect yourself.