• United States




How employees can share the IT security load

May 19, 20165 mins
Advanced Persistent ThreatsComplianceData and Information Security

When we talk about responsibility for a company’s data security, naturally, management comes to mind first, typically a CISO, CSO or CIO. Security professionals and IT managers themselves concede that they bear the lion’s share of this responsibility.

A recent study showed that 65% of IT decision makers believe they would likely lose their job due to a security breach. But the real foundation of a well-managed company’s data security efficacy comes down to each and every employee within that company. A perfect example occurred nearly five years ago at a Midwest-based hospital revenue cycle management company and demonstrated how devastating a poorly-managed security framework can be at multiple levels of an organization.

[ RELATED: The CSO’s failure to lead ]

In July of 2011, a company employee left an unencrypted laptop containing protected health information of tens of thousands of patients from Minnesota hospitals in the trunk of a rental car parked at an airport. Obviously it was stolen or this would not be much of a story. But think for a moment about all the security best practices that were either absent or ignored.

[ ALSO ON CSO: Lost devices account for bulk of healthcare security incidents ]

Why wasn’t this critical data encrypted? Why was there no technology in place to remotely wipe the information on the device? Was the employee trained to not let a device containing such sensitive data out of his or her direct control? Were there written policies in place covering these issues? If so, were they routinely enforced and were offending employees routinely disciplined? Did anyone audit or monitor the daily operational security practices at this company?

The company certainly paid the consequences for this massive oversight. The Minnesota Attorney General instituted a HIPAA action which resulted in a $2.5 million settlement to the government with an agreement that the company suspend practice in the state of Minnesota from between two to six years, a decision solely within the discretion of the Attorney General. In its next public filing, the company acknowledged it would lose between $23 million to $25 million in revenue each year it was absent from operating in Minnesota.

The company’s shareholders then filed a class action lawsuit alleging that had they known about the HIPAA investigation when it was first instituted, some of them may have sold their shares before their value plummeted by more than half. This suit settled for $14 million.

Then, at the end of 2013, the Federal Trade Commission reached a settlement with the company requiring it be independently audited immediately and every other year thereafter, for a period of 20 years, to ensure proper security measures are deployed. In the meantime, the CEO and CFO departed, and the company was delisted from the New York Stock Exchange. All totaled, a single stolen device cost the company over $100 million in fines, settlements and lost revenue.

This real-life example demonstrates the failure of numerous employees throughout the company to create, impose and maintain a security-conscious environment. You can only imagine how the employee, IT and executives felt bearing some level of responsibility for all that went wrong here. And, not to mention the damage or potential damage to the thousands of hospital patients who had their personal health information and identities floating out there.

Hopefully, this story makes personal data security not just some theoretical lofty goal to achieve, but something that should be top of mind for every employee in every business that interacts with sensitive information. And the best system of security is much more than just “doing as you’re told,” or just following a “to do list,” but is something that must be fully ingrained in the heart and soul of every part of an organization. The following skill sets, at a minimum, should be top of mind for every employee.

Understand security and what needs to be secured – At its most granular level, fully understand what each security step is supposed to accomplish, how it accomplishes it, and why that step is important to follow. Further, whether it is protected health information, Social Security numbers, or intellectual property, all employees should have a sense of what information within their organization has value.

Accept the fanatical need for security – It becomes tempting to make security a secondary priority when it seems to slow down the speed at which one’s work can be accomplished. While it is not always easy to foresee the potential scale of damage and financial loss, employees should recognize that security policies and procedures are in place to avoid the example above.

Keep an eye out for security gaps wherever you are and speak up – The more minds working the problem, the fewer the problems. It is important to develop a culture that doesn’t look down on the squeaky wheel.

A carrot works better than a stick – Reward employees who demonstrate a high level of daily security awareness as well as those who catch the missed security gap.

Security threats weigh heavily on IT and security professionals, and it is a responsibility that they should not bear alone. We all need to do our part to uphold the safeguarding of sensitive data.


As legal counsel & HIPAA compliance officer in the Investigations section at Absolute, Stephen Treglia provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. Stephen counsels the Absolute Investigations team who conducts data forensics, theft investigations, and device recoveries. Stephen has extensive knowledge of the U.S. regulatory landscape, including SOX, HIPAA, and other industry-specific regulatory bodies.

Prior to Absolute, Stephen concluded a 30-year career as a prosecutor in New York, having created and supervised one of the world’s first computer crime units from 1997-2010.

Steve is a nationwide lecturer on legal issues pertaining to technology law, data privacy and security compliance, searching and seizing digital evidence, the admissibility of computer forensic analysis and other related litigation issues.

The opinions expressed in this blog are those of Stephen Treglia and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.