CEO to CEO: Data Breach Considerations
How are you protecting your organization against a potential data breach?
Ralph Albert Thomas
CEO and Executive Director, New Jersey Society of CPAs, Roseland, New Jersey
An organization’s greatest data vulnerability is its staff. NJCPA put effort into training staff to recognize potential fraudulent e-communications that could compromise member data. Our hope was that they would recognize and not open these bogus attachments. Staff who did were given additional instruction. The effort paid off: At the end of the program, 99 percent of the fraudulent emails were left unclicked.
Alan Sparkman, CAE
Executive Director, Tennessee Concrete Association, Nashville, Tennessee
TCA is a small-staff organization. My approach to data security has been to move most of our critical data to third-party vendors. Our AMS system is hosted with a much higher level of security than we could reasonably afford, and we recently replaced our aging network server with a cloud-based server. The changes make our data more secure, yet easily accessible for staff.
Catherine M. Rydell, CAE
Executive Director and CEO, American Academy of Neurology, Minneapolis
AAN has taken multiple steps to protect against a data breach. First, security of user passwords was increased. Second, we implemented internal controls to review security groups quarterly. This ensures that only users who are supposed to have access to our data have access. Finally, we recently became PCI compliant. This resulted in implementing controls within our AMS to prevent credit card data and other sensitive information from being stored within our database.
Randy L. Swing
Executive Director, Association for Institutional Research, Tallahassee, Florida
Keeping software updated and patched, and building and testing secure systems, are always the foundation for protection from a potential data breach, but we focus a lot of attention on not storing sensitive data. We don’t store credit card numbers or Social Security numbers, and staff are prohibited from emailing these—even between internal staff accounts—to avoid widening any possible exposure.