How many of you have gotten a notification of a “Security Incident/Breach” from a business or organization? A few weeks ago, I was notified by LastPass that there was a “Recent Security Incident”. UGH! For those that may not know what LastPass is, it is a secure password management software to manage all the multitudes of passwords that we must remember daily for various apps and sites. It took the place of my little red book. This incident made me ask the question: what are businesses doing to protect customer data? How much have you thought about this for your business?
The Safeguards Rule is going into effect in June 2023 for businesses who engage in financial activities. To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
This rule requires these financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Your program must be written, and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.
While this rule is specific only to these financial institutions, it is a good practice for ALL businesses to think of having a security program to protect their customer data. To have a plan in place to protect your business. Most small/midsize businesses would not survive a cyberattack.
So how does one put this type of information security program into place? There is a lot of good information on this topic, and we can help our clients learn more about it.
To start, I would encourage you all to attend our January Lunch GIG hosted by TPx.
January 11th from 11:30 – 12:30 (either in person or virtual). You can register here.
They will be talking about the 9 steps necessary to create and adopt this program and comply with the Safeguards Rule. Their company has a prebuilt program to help within the scope of these requirements.
I have probably kept you on pins and needles wondering the outcome of that LastPass email I received? I received three separate emails so far regarding this from LastPass. In the latest email, I was ensured that “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.” For my part, I have followed their best practice measures to keep my business information safe and secure. The communication I received from LastPass is an excellent example of a Security Information Program that is in place to keep customers informed on the steps they took as a company and what we as the customer should do.
Here are some things to think about, and please bring your own questions to our January Lunch Gig, so that we can discuss and learn together so we are all better prepared to protect ourselves and our businesses.
- Communicate and train your team. How well are they informed about phishing attacks?
- How often do you change your passwords? Do you use the same password for everything?
- How frequently do you update your software? Be sure you are installing software you can trust.
- Do you use multi-factor authentication?
- Do you limit employee access to certain systems to prevent human error that could expose your business to attacks/losses?