Rose Report: Issue 31

Securing Your Company’s Sensitive Financial Information

issue-31-pic-story4The letter you don’t want to send to your employees:

Regrettably, we are writing to inform you of an incident that involved some of your information. We are bringing this incident to your attention so that you can be alert to signs of any possible misuse of the information. Late last week we were notified that confidential personally identifiable employee information was breached…

What can cause a data breach?

A data breach can occur in many ways, but the use of “Spoofed” email addresses is on the rise. It can start with an email that seemed to come from a legitimate sender asking for payroll data. Assuming the email is from a supervisor, if the employee responds to the email by attaching the requested report, the result is a data breach.

Unfortunately, in many cases these emails are not from the employee’s supervisor but from a fraudulent sender that is trying to obtain the company’s sensitive information such as social security numbers, home addresses, user names or passwords. Email scams, known as phishing attacks, are growing in number and are becoming more sophisticated, fooling even savvy users. These attacks can have a devastating impact on an organization, its employees and its reputation. With so much at risk, it is important for companies to create an internal control structure for the release of financial, tax, and personal identifiable information.

Minimize the risk

The first step to avoiding financial data vulnerability is to develop a security policy that becomes an integral part of your company culture. As cybercrime continues to grow, companies need to have best practices in place and make sure that employees are aware of evolving cyberthreats. In addition, companies need to:

  • Make sure all financial information is only available through a secure system.
  • Train employees on the use of secure information and set policies that do not allow this transmission of secure financial, tax, and personal identifiable information.
  • Train staff on login and password security procedures.
  • Ensure systems require that passwords are updated on a consistent basis, using a minimum password length and composition to be reset within 90 days or less.
  • Make sure employees do not communicate sensitive information through an unsecured system such as email. If an email must be sent with financial information, only use a secure location link and not attachments.
  • Use software that requires security for release of financial information.
  • Use email monitoring software to identify potential phishing threats.

In today’s digital world, there is no “undo” once sensitive financial information is sent electronically. Employees not only need to be aware of phishing scams, companies need to have best practices in place to prevent them from occurring.