The news these days is all but overrun with stories of hackers, cyberattacks, cyberterrorism and the importance of cybersecurity.
While concerns about external threats to network security are completely valid (I think Target and its former CEO would vouch for us here), this only makes up one side of the coin.
To be truly secure, you have to look at not only how easily outside forces can make their way into your network, but also how easily your sensitive data can make its way from the inside of your network out.
1. Your data
- Do you handle data that is subject to compliance regulations?
- Do you have data that only certain people in your organization should be able to access?
- What are the consequences of the wrong person accessing that data?
2. Remote access
Remote access is a beautiful thing — it lets us stay connected from home or on the road, and work until we just can’t work no more. But there’s also real risk involved any time you allow access to your internal network from external locations. Here’s what you need to look at:
- Does your organization have remote access capabilities? What kind?
- What devices are people connecting from? Company-owned equipment? Personal devices?
- Do they have access to network drives from these devices?
- Are they able to copy files from these network drives to their own machine?
The fact of the matter is that if your people are using a VPN connection to access your network data from their personal computer, you have no control over where your data ends up. Would you want everyone in your organization to be able to copy your clients’ financial information onto their desktop at home?
3. File sharing
Like remote access, the ability to collaborate on projects can do incredible things for efficiency and workflow. And, like remote access, solutions that allow you to share files also open the door to dangerous data sprawl. Take a look at your applications and determine:
- Does your staff share and sync their files across devices?
- What solutions are they using? A consumer-grade solution like Dropbox? Business-grade software?
- Are you able to wipe files from these applications should the person leave your company?
- Is the application synced to personal devices that you cannot access?
We’ve heard from folks who have been separated from organizations for years and still have sensitive company data in their Dropbox account. That organization probably doesn’t have a clue.
4. Mobile devices
You can probably see where this is going by now. When you’re trying to keep internal information from getting out, it’s especially important to look at the devices that are literally walking out of your office doors. You need to have a handle on:
- What devices have access to your network?
- Are they managed? Subject to any security scans?
- What happens if the device is lost? Can you wipe the data?
- Is the data on that device encrypted? To what extent?
- To what lengths do you restrict access to these devices? Simple key codes? Bios passwords?
As you move through all of these questions, understand that the more restrictive you get with your policies, the more your team’s ability to work efficiently may be impacted.
Take away mobile device access and your staff won’t be able to stay connected while they’re away from the office. Encrypt all of your files and you’ll have to take the time to decrypt (not to mention the fact that your storage amounts will go through the roof). Ban file sharing solutions and your team will have to spend time emailing documents back and forth and back and forth.
As you can see, there’s a fair amount of give and take where data privacy policies are concerned.
In order to make sure you have proper control of your data, however, you have to make a decision about what’s more important to you and the future of your organization, and what might happen if you give a little too much.
From there, it becomes a matter of taking your policies and making them a part of your everyday operations. Remember that “policy” in the theoretical sense won’t hold very much water when it comes time for a compliance audit.
As originally published in the American City Business Journals