Breaches aren’t always the work of external hackers or malicious insider threats. They are frequently the result of carelessness on the part of an employee or security administrator. But when it comes to securing confidential information, there’s no room for error. Improperly implemented or unsuccessfully enforced security policies and procedures leave an organization vulnerable to a wide array of security risks.
Stolen device – Florida Department of Juvenile Justice, 2013
A thief broke into a secure office of the Florida Department of Juvenile Justice (DJJ) and stole a mobile device that contained sensitive data. Although DJJ’s technology policy requires that all mobile devices be encrypted and password-protected, the stolen device was not compliant with these security measures.
As a result, the records of more than 100,000 juvenile delinquents and employees were compromised, putting them at risk of identity theft. In response to the incident, all DJJ employees and contracted provider programs were emailed a copy of its policy reminder and security instructions.
In order to ensure that employees and contracted provider programs understood DJJ’s technology policy, the documents defined the parameters of the policy in regards to employee requirements and the expectations of contracted provider programs.
Expert insight: In addition to providing a strict and specific mobile security policy, organizations should periodically review policies with employees in order to ensure that everyone thoroughly understands the processes and ramifications of compliance failures. They should also implement training and checks to guarantee security procedures are being followed. Additionally, planned and random audits can help identify weaknesses or irresponsible activities before serious consequences occur.