It may seem obvious, but some businesses don’t appreciate that securing information means you need to know what you have and where it gets stored. Not so long ago you knew that information stored electronically would be held on servers within your building(s), at a secure data centre or on backups held by a trusted third party. The widespread use of ‘the cloud’ – which can be thought of as a computer you do not control – and mobile devices has meant that your valuable business information can now be spread far and wide. And if it is ‘dripping’ out you need to stop it turning into a flood that results in a security breach.
So how do you address this situation? The first step is probably to develop a policy that defines where you are allowed to store information. The policy needs to be referred to in your employment contract and employee handbook. Then you look at threats to the information and ways to reduce or eliminate them. For example, if you allow it to be stored on phones, you may want to ensure they have a six character alpha-numeric password to unlock them and mobile device management software that remotely wipe devices that are lost or stolen. The third step is to educate staff so they know what is allowed. The last step is going to be some form of internal audit to check the policy reflects current business requirements and staff are following it.
So now you can relax? No. In today’s business environment, options to ‘work smarter’ keep coming at us. It may be an app that has just come out and a team decides in would be the perfect way to collaborate on a pitch or project while they are out of the office, or a client insists on having sensitive information put into a cloud storage service that works for them, even if it doesn’t encrypt data while it is being transferred. Or someone has to work on documents over the weekend and decides to put them into the cloud storage area provided with their personal Gmail or Outlook account.
The reality for many businesses is that stopping this drip, drip, drip of data to unauthorised areas is nearly impossible. What you need is a combination of:
- a policy that defines authorised ways to store information but also has a mechanism for requesting a concession when it is not followed for valid business reasons. By having concessions you can still track where information is being stored
- a regular review of threats to information – internal, external and from suppliers – and ways to reduce or eliminate them
- tools to check which cloud services and web apps are being used to confirm that concessions are being requested, and a way to block services known to cause business issues
- a training programme that reinforces why there are authorised ways of storing information and staff responsibilities for proactively requesting concessions. And the penalties for failing to be responsible
- a programme of internal audits to check what is being done
Each company needs a combination of the above that works for their culture and business. Get in touch for expert advice on how to do this. We can be your plumber to make sure any drips are caught, and to stop them turning into a flood.
PS Eagle-eyed readers will have spotted that I am talking about information rather than data. But I didn’t want to spoil the opportunity to use the ‘drip, drip, drip of data’ headline.