CEOs discuss the steps that their organizations are taking to protect sensitive data. Some rely staff training while others employ the help of vendors.
How are you protecting your organization against a potential data breach?
An organization's greatest data vulnerability is its staff. NJCPA put effort into training staff to recognize potential fraudulent e-communications that could compromise member data. Our hope was that they would recognize and not open these bogus attachments. Staff who did were given additional instruction. The effort paid off: At the end of the program, 99 percent of the fraudulent emails were left unclicked.
—Ralph Albert Thomas, CEO and executive director, New Jersey Society of CPAs, Roseland, New Jersey
TCA is a small-staff organization. My approach to data security has been to move most of our critical data to third-party vendors. Our AMS system is hosted with a much higher level of security than we could reasonably afford, and we recently replaced our aging network server with a cloud-based server. The changes make our data more secure, yet easily accessible for staff.
—Alan Sparkman, CAE, executive director, Tennessee Concrete Association, Nashville, Tennessee
AAN has taken multiple steps to protect against a data breach. First, security of user passwords was increased. Second, we implemented internal controls to review security groups quarterly. This ensures that only users who are supposed to have access to our data have access. Finally, we recently became PCI compliant. This resulted in implementing controls within our AMS to prevent credit card data and other sensitive information from being stored within our database.
—Catherine M. Rydell, CAE, executive director and CEO, American Academy of Neurology, Minneapolis
Keeping software updated and patched, and building and testing secure systems, are always the foundation for protection from a potential data breach, but we focus a lot of attention on not storing sensitive data. We don't store credit card numbers or Social Security numbers, and staff are prohibited from emailing these—even between internal staff accounts—to avoid widening any possible exposure.
—Randy L. Swing, executive director, Association for Institutional Research, Tallahassee, Florida