In life and business today we have the luxury of technology that provides unprecedented convenience and productivity. But some of the same tools that help us do more also threaten our security and could potentially undo all our hard work.
Wherever your company’s critical data or client/patient personal data can be stored or accessed, you must take precautions to control and safeguard that information. If your organization is HIPAA regulated, the physical safeguards standards require certain steps are taken (and documented) to implement device and media controls.
Encryption
Encryption is vital for protecting critical data and should always be a first line of defense. We have seen numerous cases of an unencrypted laptop lost or stolen costing a company millions of dollars in fines and penalties. This is a common loss that is difficult to see happen knowing how easily it could have been prevented.
Encryption is really your data’s first line of defense. But we know too well that nothing is truly fool proof and even the best technology cannot negate the need for common sense measures in protecting your company’s critical information. For example, when physical backups are necessary, these tapes or files must be maintained with extra care. Ideally such archives are maintained under tight security with encryption in place. We often see, however, critical backup data stored in the same physical location as the live systems. In the event of a natural disaster or physical issue at the facility, both the live system and backup could be inaccessible or destroyed. A similar scenario can play out when backups are held electronically on systems that are not sufficiently separated. We have seen the simultaneous loss or breach of critical systems destroy a company in a matter of hours. A backup is more than a copy, it must be a protected version held in a different system and/or location that can be accessed quickly in an emergency or when a security incident occurs.
Even with the best security technology and encryption in place, there is still risk of a weaknesses in an unpatched tool, clever attack, or human error. Your company’s last line of defense is the diligence and awareness of your employees.
Acceptable Use
To clearly document what is expected and what is and is not acceptable in the use of your company’s resources, it is important to have an Acceptable Use Policy in place. The SANS Institute provides a free policy template that can be customized for your organization. Documenting your company’s policy in detail is necessary but you must also be sure that employees understand the expectations and the importance of their role in being diligent to safeguard your systems and data. Each employee needs to be trained and reminded of the risks. For example, they must understand that USB devices such as flash drives are notoriously dangerous both for carrying malware that can infect the system as well as for being lost or stolen which can compromise your company and client data.
Every employee must be made aware of the risks and the potential consequences of using removable storage devices inappropriately or without taking proper precautions.
The convenience of mobile access has come with a dark side. The inevitability of employee access using their personal devices raises questions and concerns that businesses cannot ignore. They say “the best defense is a good offense.” You can work proactively with employees, creating policies to protect their personal information as well as the company’s data and helping them understand how to use their devices safely.