“Privacy” is the current buzzword sweeping the nation, and no matter who you ask, everyone seems to have different opinions on the subject. With the latest revelation of government and business surveillance, both domestic and international, many people are asking themselves, “Is my private data actually private?” The ongoing struggle between security and privacy is nothing new (and it will continue for years to come), but if there is anyone who needs to be more worried than most, it would be the businesses who handle sensitive, business-critical information on a daily basis.
Data Security Isn’t Just for the Big Fish
When we think of “big data” we most often think about big companies. The world’s largest, publicly-traded corporations already have well-developed information security programs guided by leading professionals. But what about all of those smaller businesses? Many small companies are also storing the same types of private information. What are these companies doing to secure our information?
Corporations are very aware of the severe losses that result from a breach of private information. They may suffer financial losses from the loss of customer data, they could lose an industry advantage from the loss of competitive information and they could lose respect (oftentimes the most valuable, intangible asset) due to the bad publicity that comes from a data breach. Small organizations can face the same risks, but don’t have the same amount of resources to use in protecting the data.
Surviving in the Open Sea
For small company professionals, the path to a solid information security program has to begin somewhere. If your organization has no program, or is just in the infant stages, you shouldn’t fret over boiling the ocean. All journeys begin with a single step, and my years in the industry have established a few opening items to focus on when you embark on securing your data. Whether you’re a new organization looking for a place to start in securing your data or you hail from a seasoned organization with a variety of controls and procedures in place, it never hurts to review the basics of security and reflect on where you are in the field.
Here are four tactics for maintaining tighter controls over your information:
- Publish Corporate Policies & Standards
The cornerstone of your information security program is the written rules and standards your team is charged with following. Without lines in the sand specifying what “acceptable” and “non-acceptable” behavior is, your team is left to make up the approach as they go. Your policies and standards should not only define the access control model of the organization, but also provide detailed instructions for how to mitigate the risk of a data breach and how to handle the consequences after one occurs. These company regulations should also identify the consequences to employees who are involved with data security issues. These guidelines will not only protect the organization from a data security standpoint, but also from a legal standpoint in the event of a catastrophic loss of data. If you’re a brand new organization don’t feel like you have to write all of this from scratch. A great to place to start are the ISO standards. In addition to these, look for any specific standards for your industry – health care, finance, manufacturing. There is never a need to reinvent the wheel; stand on the shoulders of the proven industry publications.
- Employ Proper Access Controls
Regardless of what system/software/platform you are charged with maintaining, access control needs to be a primary concern. Ideally, employees should only be permitted to access the least amount of system information necessary to complete their job. While the pace of your organization may continue to increase, that does not give you license to devise shortcuts to this principle. While it is often faster to give a user more access than they really need, the time you save on the front end will likely lead to a costly time waste on the back end – whether you’re charged with fixing user access across thousands of users or if you are on the hook for an independent security audit following an incident. When multiple employees have administrative privileges (or excessive access) to systems they shouldn’t, not only can it be more difficult to identify the source of a system breach, but it increase the odds of breach actually occurring. By limiting your user’s system access and following the principle of “least privilege,” you can minimize the damage from compromised users or disgruntled employees.
- Review Your Access on a Set Schedule
Along with a proper access control configuration, it’s important to periodically review this configuration to ensure it is still secure. When employees leave or move to new positions within an organization, updated access control privileges are too often overlooked. Ideally, an organization’s user database (Active Directory), will automate these system changes, but scheduled reviews are always a smart move for organizations. High-powered users often create multiple accounts in core systems – many of them “off the grid” of the Active Directory system – to test or simulate the experience of users with different rights. These accounts may be missed when the normal deactivation process is followed, allowing a user the potential to still access the system under these old accounts. Have a process in place for reviewing accounts to minimize and eliminate the chance of users still having a backdoor into your key systems.
- Train Your Team
Lastly, the best way to ensure your employees are acting in a compliant, secure manner is to provide regular employee training to communicate the corporate policies that relate to enterprise data integrity. This training should not only include the standards that are in place, but also inform your employees of the consequences for breaking the rules. Ideally, if employees know the severity of a data breach within the organization (as well as the consequences), they’ll be less likely to commit a malicious act.
Similar to any other organizational process, your data integrity/security program will continue to grow and evolve. While the four points detailed above will help put you on the right track, there will likely be many more controls you can put in place to create a truly customized program for your company. If you’re feeling lost, seek out a trusted professional to help guide you along the way. Hopefully with these first few tactics, business leaders can feel a little safer that their data is truly secure and private from those with ill intentions.
–Nick Butcher, OrangePoint