The news these days is all but overrun with stories of hackers, cyberattacks, cyberterrorism and the importance of cybersecurity.
While concerns about external threats to network security are completely valid (I think Target and its former CEO would vouch for us here), this only makes up one side of the coin.
To be truly secure, you have to look at not only how easily outside forces can make their way into your network, but also how easily your sensitive data can make its way from the inside of your network out.
This is especially critical if your organization handles sensitive data in any capacity. How can you be sure that you have a firm grasp on where your data is going? By creating and enforcing a thorough data privacy policy.
Putting this policy together, of course, can be easier said than done. That’s why we at Optimal hear a lot of questions about what elements a successful data privacy policy needs to address (and if we aren’t hearing these questions, you can bet that we’re asking them).
There are many factors to consider when creating a data privacy policy, but we’ll break down the key elements you absolutely must address with your policy below.
1. Your data
Before you can make any progress with a data privacy policy, you must first understand what kind of data your organization handles on a day-to-day basis. This is fundamental to determining how strict your data privacy policy needs to be, and how much effort you need to dedicate to enforcing it. Ask yourself:
- Do you handle data that is subject to compliance regulations?
- Do you have data that only certain people in your organization should be able to access?
- What are the consequences of the wrong person accessing that data?
Any time compliance is a factor — be it HIPAA, Sarbanes-Oxley, PHI, PII or otherwise — you absolutely cannot afford to leave any room for error with your data privacy policy. In other cases, it might not matter if all of your data were broadcast all over the globe. The point here is that, regardless, you must know where you stand.
2. Remote access
Remote access is a beautiful thing — it lets us stay connected from home or on the road, and work until we just can’t work no more. But there’s also real risk involved any time you allow access to your internal network from external locations. Here’s what you need to look at:
- Does your organization have remote access capabilities? What kind?
- What devices are people connecting from? Company-owned equipment? Personal devices?
- Do they have access to network drives from these devices?
- Are they able to copy files from these network drives to their own machine?
The fact of the matter is that if your people are using a VPN connection to access your network data from their personal computer, you have no control over where your data ends up. Would you want everyone in your organization to be able to copy your clients’ financial information onto their desktop at home?
3. File sharing
Like remote access, the ability to collaborate on projects can do incredible things for efficiency and workflow. And, like remote access, solutions that allow you to share files also open the door to dangerous data sprawl. Take a look at your applications and determine:
- Does your staff share and sync their files across devices?
- What solutions are they using? A consumer-grade solution like Dropbox? Business-grade software?
- Are you able to wipe files from these applications should the person leave your company?
- Is the application synced to personal devices that you cannot access?
We’ve heard from folks who have been separated from organizations for years and still have sensitive company data in their Dropbox account. That organization probably doesn’t have a clue.
4. Mobile devices
You can probably see where this is going by now. When you’re trying to keep internal information from getting out, it’s especially important to look at the devices that are literally walking out of your office doors. You need to have a handle on:
- What devices have access to your network?
- Are they managed? Subject to any security scans?
- What happens if the device is lost? Can you wipe the data?
- Is the data on that device encrypted? To what extent?
- To what lengths do you restrict access to these devices? Simple key codes? Bios passwords?
As you move through all of these questions, understand that the more restrictive you get with your policies, the more your team’s ability to work efficiently may be impacted.
Take away mobile device access and your staff won’t be able to stay connected while they’re away from the office. Encrypt all of your files and you’ll have to take the time to decrypt (not to mention the fact that your storage amounts will go through the roof). Ban file sharing solutions and your team will have to spend time emailing documents back and forth and back and forth.
As you can see, there’s a fair amount of give and take where data privacy policies are concerned.
In order to make sure you have proper control of your data, however, you have to make a decision about what’s more important to you and the future of your organization, and what might happen if you give a little too much.
From there, it becomes a matter of taking your policies and making them a part of your everyday operations. Remember that “policy” in the theoretical sense won’t hold very much water when it comes time for a compliance audit.
—
As originally published in the American City Business Journals