Data security often seems to focus solely on protecting valuable (or sensitive) information from falling into the hands of third parties. By securing computer networks against intrusion, many organisations feel that they have protected themselves from all potential data theft.
However, your business faces just as many security risks inside the corporate firewall. Even if you have a completely trustworthy workforce, negligence or simple human error can leave important information exposed.
Reminder – why data protection is critical
There are several reasons why data security should be a priority for your business:
· Your business is legally obliged to secure personal information under the Data Protection Act (1998). Losing or leaking personal data, even accidentally, can be punishable with a large fine and potentially a prison sentence.
· Theft of intellectual property can cost your business in lost revenue and competitive advantage.
· Theft of financial data could result in further losses, either from company accounts or those of employees who have had their personal banking details compromised.
· Reputational damage and loss of trust. Data security breaches can damage investor confidence and relationships with business partners who fear that their information could also be compromised.
With these factors in mind, the importance of internal data security should become apparent.
What do you need to protect?
Your business probably already knows the information that it needs to protect against theft and loss, but it is good practice to regularly review security arrangements to ensure that everything is covered. Here are a few to consider:
· Financial details – company results, bank account details and customer transaction details all need to be protected from loss or theft.
· Product development details – any intellectual property regarding planned or existing products needs to be protected from theft.
· Employee and customer details – your HR and CRM systems need to be ring-fenced to prevent sensitive personal information being accessed without proper authorisation.
Should this information be passed on to a competitor, or permanently lost, could your business survive? If the answer is no, you will need to review and improve security protecting that information. Approach each of your company data stores with this mind-set to ensure that information is valued and protected appropriately.
How to protect company data
With so many internal threats to data security, coming up with a protection mechanism that works for your business will involve planning, testing and refinement. Here are some points to consider:
Social engineering
The weakest point of any security system is always the people who use it. Cyber attackers often target people rather than computer systems, because they are easier to manipulate. Gaining access to a protected system is often as easy as asking someone for their password. How many times has someone “from IT” asked for your password to fix a problem for you? Were you sure they were from IT?
Employees need constant reminding that login details and passwords are:
· Personal
· Never to be divulged.
Similarly, IT personnel need to reset user passwords, rather than ask for them.
Create policies regarding data security, train staff to recognise common security issues, and enforce policies if breaches occur. In this way, staff will know exactly what is expected of them and will also have a better understanding of how seriously your business takes data security.
Personal devices
Bring Your Own Device (BYOD) is a hot topic for businesses looking to increase flexible working without capital expenditure on new computer equipment. BYOD allows staff to connect their own smartphones, tablets or laptops to the company network to access email and files.
Most businesses using BYOD believe that there are significant benefits to be had by allowing staff to be productive any place, any time, but there are also some serious risks:
· Company data stored on personal devices may go missing should it be stolen or lost. The thief can then potentially use that information to the detriment of your business.
· Devices that have been authorised to use company resources can be used to access the company network by thieves, giving them a back door by which they can steal more data.
· Personal devices can harbour all kinds of malware, such as computer viruses, that can damage corporate systems and destroy data.
If your business is interested in implementing BYOD, it is essential that there are appropriate security policies and systems in place to regulate data access. It is also critical that personal devices are protected by a passcode and have the ability to be “wiped” remotely, deleting sensitive data in the event of the device being lost or stolen.
Internal security
Your company also needs to make use of advanced security features to protect data. This could include:
· Activating additional password protection to protect specific systems from being accessed by unauthorised users.
· Tightening file protection policies and security groups, again to prevent unauthorised data access. Access to HR and payroll data should be restricted to members of the HR team, for instance. Systems such as those provided by Cezanne HR also allow granular security protection, restricting the most sensitive data to specific specialist users. If your system supports role-based security, it should be configured and enabled for greater protection.
· Using auditing to track user activities and ensure that data is not being accessed or used inappropriately.
· Disable the use of removable media for unauthorised users to reduce the risk of theft or loss.
· Prevent data export where users have no need to download information as part of their duties. Valuable data such as customer contact details, or sensitive information such as payroll details, should not be downloadable or exportable by default.
· Ensure antivirus software is active on servers (including email) and workstations, preventing malware from getting onto your network through the usual weak points.
The rule of thumb for any security decision is initially to restrict access to as few people as possible. Security can always be adjusted later as required, but taking a safety-first approach will help avoid obvious data security problems from the outset.
Your staff may operate responsibly and ethically at all times, but for complete data security your business must recognise that there are dangers inside the network, as well as out. To keep your business data safe, use the tools available to plug gaps, train your staff to act responsibly, and ensure that security is reviewed and updated regularly.
Image of USB drive from Flickr