Despite all the bad cybersecurity news you see weekly – even daily – and despite all the clear risks, security unfortunately is still not a top concern for many businesses. But it needs to be.
Although every organization needs a security policy, there is no one-size-fits-all solution. Every company is different, with unique applications and a unique environment. So a policy to address data loss prevention and recovery must focus on the specific corporate needs.
It starts with the data you need to protect. Consider where your data lives, how it is currently protected, who has access to it and whether they are able to transfer the data, or cut and paste it, from different locations. How do you track the data once it leaves your environment either via email or remote access? How do you control who has access to it, when, and why?
Embrace data security
As an organization, you need to wrap your arms around the security of data. Sometimes that means dealing with minor inconveniences. A company in which employees telecommute and use the cloud will have a higher security risk than a company where everyone works in one office. But many companies make that tradeoff, because they don’t want to give up the convenience of remote work.
Unfortunately, there is nothing convenient about security.
It’s kind of a push-and-pull war between IT, charged with maintaining security, and the visionaries trying to create a flexible, innovative culture in their organization that can attract superstar talent.
I’ve worked in environments where you had to work on-premise, you couldn’t take discs or data offsite, and you could never work remotely. That’s not very convenient or realistic today. The challenge is to find the happy medium, a controlled environment that can still offer some degree of flexibility and mobility.
I call it security methodology. It’s about the methodology of the organization, and if the culture is a relaxed, creative one, sometimes ingenuity can supersede security. That’s a problem. As you develop a data policy, you must adjust the culture of your organization as needed to emphasize the importance of properly handling confidential data.
Best practices for data loss prevention
In a data loss prevention and recovery policy, there are a number of best practices to keep in mind, such as:
- Encryption. Whether you encrypt your data while it is “at rest” or while it is in transit, or both, encryption is a critical factor in terms of protecting your organization and its information.
- Two-Factor Authentication. Requiring a user to input a user name and password while at the same time using a separate security token, makes it incredibly difficult for a hacker to get value out of a hacked password. Often these tokens have ever-changing passwords of their own that can be entered in tandem with the usual password. Another approach is if someone logs into the network, a message pops up on their mobile phone that notifies them of the log-in and allows them to verify that it is them.
- Biometric Scanning. In particularly high-security environments, this use of retinal scans or fingerprints or other unique personal characteristics can provide a further layer of verification that the individual requesting access is the correct one.
- Lockdown Policy. You should have one of these for every laptop and PC in your organization. Three failed attempts at entering a user name and password will trigger a lockdown and render the machine unusable until the problem is corrected.
- Physical Security. Is your data center equipment fully secured? If you are working in the cloud, at least your own organization’s equipment needs to be locked up, with controlled access, and outfitted with alarms to deter intrusion. Some high-security environments even require two-person authentication, which requires that any employee seeking physical access of any kind must be accompanied by another employee.
As you start to build a data loss prevention and recovery policy, the first thing you need to do is get outside expert help. No matter what business you are in, you probably aren’t a security expert. The outside experts will help you build the strong written policy that you need, one that lets everyone know the importance of network and data security and details processes where needed.
Reinforcing the policy
The policy is only the beginning. Ongoing training and reminders to users about security best practices need to be frequent and effective. Users need to be alerted to new threats and vulnerabilities so they remain aware. Some companies go so far as to send out fake emails and otherwise test their employees’ security awareness.
The biggest security threat for companies and individuals is a failure to take it seriously. The attitude might be “my company is so small, who would be interested in our data?” Or they think that as a company they are flying under hackers’ radar. It’s a common attitude, but a very dangerous one.
To CIOs, I say that if you aren’t talking about security, if it isn’t your number one concern, you could be putting your company’s data at risk.