Security – how can you protect your data?

Every business is different and the way they do business is as different as they are.   To expand that further then every organisation has a different or better way of implementing security and they have a definitive way of looking at that protection.

To most businesses some of the systems that are in place  they work, others work because they haven’t been tested and the rest ( very few) have done everything in their power to protect themselves and checked that protection.

There are a number of requirements that have to be thought through and tested to make sure that you have done everything in your power to protect your information.

Here are six thoughts to mull over!

Portability

All data is portable in some way or other or it would be of no use to businesses.   The level of portability is critical for a business.   An R & D company would need to protect its secrets but it needs to be able to function as a think tank.   How do you ensure that information is not leaking from a business.   Although you have to trust your employees you also have to ensure that they can be trusted.

Commercial in confidence information and higher needs to be managed under stricter criteria than other data and this information needs to have some level of tracking.   You can restrict access with policies, technology and also have systems that will store and track the transfer of information to USB devices.

Restrict the portability of critical information

 Data Lifetime

All information has a life time.   It may have a shelf life of 12 months, 4 years or 10 but at some point that information has to be involved in a process of archiving and destruction.    This goes for both physical and electronic data.

Make sure that you have a policy for data destruction and keep track of when and where data was destroyed.   Other items to track include old hard drives, old tape and tape drives and USB devices.   The number of times that confidential information and data has turned up at a rubbish tip goes to show how vulnerable a business can be.

Create a road map for data destruction

 Storage location

Most businesses have some level of server or centralised data storage.   Small businesses may have a couple of computers accessing all of the same information, other businesses may have a proper server environment while others may keep their information in the cloud.   No matter where the data is stored and accessed,  some level of tracking needs to  be in place.

Your data also needs to have access lists applied to it.   This restricts and encourages an internal attitude of need to know.   Not everyone needs access to all of your information all of the time.

Work out your own internal need to know process

 Responsibility for destruction

One of the largest problems with data a security is to make sure that someone is delegated the responsibility of destroying the records.   This includes documentation and following processes to ensure that all data is destroyed and when but also why some data has not been destroyed or kept passed its time.

In addition this delegated person also needs to be trusted because he may have  access to information that he previously did not have or was not required to have.   Three year old commercial in confidence information can still be damaging to a business if it is released to the public.

 Delegate responsibility for destruction to a trusted person.

 Audit regularly and constantly

One of the best ways to make sure that your internal business information and data is secure is to have a decent level of auditing for the data itself.   A system of tracking data access, data use and data transfer is critical to protecting that information.  in fact if you do not audit your data then you are in no position to ensure it is safe

Auditing and reporting on a regular basis can catch data breaches and ensure they are kept to a minimum.    Whether the breach is accidental or criminal.   A system of alerts for critical data, daily reporting and monthly Checks can ensure that data is not moved or manipulated without due process or someone external to the data knowing about it.

Protect your business by putting in a system of alerts and reporting.

 Policies to reflect business and external requirements

There are two areas that your business needs to focus on when incomes to data security.   Protecting the information because it is critical to your business or protecting your information because you will break the law if you do not.

Either way protecting that information can only be achieved with the correct policies and procedures in place.   These policies and procedures ensure that only the right people have access, the data is accessed the correct way and that access is tracked correctly.

Utilise correct policies and procedures within your business. 

 The more important the information for either the business or compliance requirements, then the more strict access and reporting on that data needs to be.    If it is critical to your business then I can guarantee that some else wants access to it.

Make sure that they do not.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.