Standard Office Systems Blog

Cyber Security Law [How to Stay Compliant]

Written by Erica Kastner | 5/1/20 4:00 PM

CYBER SECURITY | 5 MIN READ

Cyber security laws are rapidly evolving, making some businesses quickly feel left behind. Penalties for non-compliance can be harsh, which raises the pressure for businesses to stay ahead of new legislation. How can your company stay compliant with cyber security laws? Keep reading to find out.

Not enough time? Jump to:

Installations and Monitoring

Education

Management

How MSP's Can Help You Stay Compliant

Installations and Monitoring      

Hardware/Software

A simple way to stay compliant with cyber security law is by upgrading your network's infrastructure. Installing and maintaining the latest versions of hardware like servers and software like anti-virus go a long way in keeping consumer data secure and hackers out of your network.

Keeping consumer data private and safe from the hands of hackers lessens the odds of a data breach, which could put you in violation of certain cyber security laws.  

For instance, to comply with HIPAA, healthcare organizations must ensure that no un-authorized personnel access patient information. If, for instance, a nurse received a phishing email asking for private patient information and the nurse obliged, she could potentially be found guilty of breaking HIPAA.

If a healthcare organization installs an email filtering service that monitors for phishing schemes, or a secure file-sharing service that ensures that only the intended recipient receives private information, potential HIPAA violations can be avoided. 

Copier/Printer Security

Hackers can access private files containing consumer information through your copiers and printers. Since copiers and printers are an overlooked aspect of a business' security, they're often left unsecured, which could potentially put you in violation of cyber security laws. 

Personal copiers and printers typically used in managers' offices come with a host of security risks. For instance, personal printers can have a "print from anywhere" feature that lets you print documents even when you're away from the office.

However, this "print from anywhere" feature has little security because it has to create a hole in your firewall to allow you to communicate with the machine from anywhere in the world.

This hole in your firewall can let a hacker access your printer, which lets them see anything scanned on it, view documents and files on the computer connected to the printer, and potentially even access the whole company's network.

To patch this potential security threat and keep you compliant, consider upgrading to newer copiers and printers that have updated security features.

For instance, some newer models of brands like Canon and Sharp have data security kits with features that, when a document is scanned, copied, or printed, erase those documents from the hard drive up to 28 times. 

Newer copiers can also have features like Transport Layer Security (TLS) that encrypt scanned files that the machine sends to your email, as well as newer versions of Server Message Block (SMB), which securely scans documents to a folder on your computer instead of your email.

RELATED: How Can Your Printers Have Security Risks? [Tips to Protect]

Remote Employee Security 

Since remote employees are not physically at your office, they mainly rely on email to communicate and send private information to clients and co-workers. However, if this private information is sent in an insecure way, it could be leaked or stolen, which can violate cyber security laws. 

Installing VPN’s (Virtual Private Networks) for remote users can ensure that the work devices they use are secured. VPN's create a private network from a public Internet connection, allowing remote employees to handle confidential information outside of the office without risking data breaches.

Work phones also pose legal risks. For instance, if a remote employee received a voicemail containing sensitive client information, that information could be accessed by anyone who hacks or gains access to their phone.

Some business phone systems have call-forwarding features that can automatically route calls through the office first to ensure that voicemails aren't left on mobile devices and that voicemail transcripts are sent to that employee's work email.

Additionally, password policies and cyber security awareness training can help remote employees avoid exposing confidential data through their work phones, which may have less built-in security measures than a desktop. 

Dark Web Monitoring

If a hacker gains access to your network, they can steal customer files and other sensitive information that can be sold on the dark web. If consumer information is published to the dark web, you could potentially be in breach of various cyber security laws, and could potentially face data breach lawsuits from your customers.

Dark web scans find company information such as employee emails that have been published to the dark web. All a hacker needs is information like the login to an employee email to being phishing schemes to extract additional private information from your employees and clients.

While you cannot remove information once it's been published to the dark web, it can expose weaknesses in your network to address in order to prevent future data breaches.

RELATED: Dark Web [Complete Guide]

Education

Cyber Security Awareness Training

Unfortunately, your employees are your weakest link when it comes to your organization's cyber security. The best cyber security tools on the market can keep customer information secure, but what about an employee who has easy-to-guess passwords or doesn't know what a phishing email looks like?

One employee with a minimal understanding of good cyber security practices could bring down your entire network.

Training employees about good cyber security practices from the day they start work will help build a company culture of maintaining a secure network. Cyber security seminars can educate your employees on best practices when conducting business, from how to spot a phishing email to the chain of command in the event of a data breach.

Password Policies

Creating and enforcing a password policy keeps hackers from easily accessing accounts with sensitive customer information. Password policies also help educate employees who might not know much about how to create and maintain secure passwords.

A main focus of any password policy should be to limit how much employees write down their password, whether it's in a notebook or in the Notes app on an employee's phone. Writing a password down anywhere leaves it susceptible to being found by hackers. 

Additionally, for accounts or programs with administrator permissions/passwords, aim to limit the number of employees and devices with access to administrator privileges. This increases the odds that a hacker will find a device on your network with administrator rights, which will let them take control of your network and any programs you use. 

When creating passwords, tell employees that they should aim to change passwords every few months. They should enable two-factor authentication when possible and never put easy-to-find information such as children's' names in a password. 

Management

Role-Based Security

Employees don't need access to every bit of private information that your practice has. Letting employees access all private information risks an employee accidentally viewing customer information that they aren't authorized to see.

Additionally, company-wide free information access means that hackers have more chances of finding an employee with access to an account containing private information.

Implement role-based security procedures within your practice to minimize the risk of important information being leaked or stolen. Assign different levels of security clearance to employees based on how important it is for them to have access to that information.

For instance, a blue level employee might just have access to accounting software, while a red level HR employee might just have access to employee management programs.

Role-based security prevents employees from accidentally seeing information that does not pertain to their specific duties, and also prevents employees with bad intentions from accessing information that they shouldn't be able to access.

How MSP's Can Help You Stay Compliant

A Managed Service Provider can help you stay compliant with evolving cyber security laws by adapting your network's configuration. They can help you implement all of the above security advice and more.

From an installation and monitoring standpoint, they can integrate the latest cyber security hardware and software within your network, and then monitor and address any issues that pop up.

From an education standpoint, they can help you create password policies to show how to create secure logins to company accounts, or send out phishing tests to educate employees on how to detect and avoid phishing schemes.

From a management perspective, an MSP can help you create and integrate role-based security policies and manage those with administrator privileges in your network. 

Staying compliant with cyber security laws involves planning for the future. Besides keeping your company compliant, an MSP can help your business plan for moves or office expansions by showing you how those scenarios will affect your network.

To stay compliant with cyber security law, your network must adapt to stay one step ahead. Use the advice in this article to secure your network and avoid non-compliance penalties today.