By John Sileo, [cc id=’csid’] consumer security expert
In Part II of this series, we started getting on our way in the technological side of protecting our business’ data. Once you go through with the remaining three steps, you should feel confident in the measures you took to secure your business.
5. Don’t let your mobile data walk away. Mobility, consequently, is a double-edged sword (convenience and confidentiality); 36-50% of all major data breaches originate with the loss of a laptop or mobile computing device.
Strategy: Hire a security professional to implement strong passwords, whole disk encryption and remote data-wiping capabilities for your laptop. Set your screen saver to engage after 5 minutes of inactivity, and set a password for re-entry. Finally, lock your goldmine of data down when you aren’t using it—Store it in a hotel room safe when traveling, or lock it in a private office after work. Physical security is the most overlooked, most effective form of protection.
6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out—but you probably don’t use it regularly.
Strategy: Take a day to pretend that you are your fiercest competitor, and sort through all of the trash going out your door. Search for sensitive documents. Do you find old invoices, employee records, bank statements and other compromising papers? Parading these documents before your staff is a great way to drive your point home. Occasional “dumpster audits” will inspire your employees think twice about failing to shred the next document.
7. Anticipate the clouds. Cloud computing is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.
Strategy: Evaluate your business’ use of cloud computing by asking these questions:
- Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)?
- What happens if the cloud provider goes out of business or is bought out?
- Is your data stored locally, or in another country that would be interested in stealing your secrets?
- Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? (If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.)
This is a cost-effective, incremental process of making your business a less attractive target. Remember, the process doesn’t start working until you do; so take these simple steps, including those in Part I and Part II, to starve data thieves of the information they literally take to the bank, and secure your business.