Recent reports have outlined the failure of security of an unencrypted hard drive from the Federal Privacy Commissioners Office, as outlined in a recent article from IT World Canada. It appears what happened is a portable hard drive that was connected to a server went missing during an office move to a new location. Embarrassing and potentially a high security risk situation caused by simple human error. 
Let's look at what might have been the scenario.
At some point a decision was made that there should be replication of data in a server and a couple of portable drives were connected. Since these drives were going to remain in the server room under secure access there was no apparent need to encrypt the data on the drives. In the normal course of business there would be little concern since the ability for unauthorized access to the drives would be not much different than for drives installed in the server itself.
Of course when the normal situation changed the security issues increased and the error was made. A high risk situation developed.
What can be learned from this situation?
Instead of just thinking about the embarrassment and irony of the circumstance it is valuable to apply some thought to what other circumstances might occur which could lead to similar issues.
Since there is so much data coming from so many places in offices it is much more important to think about what needs to be done to make it secure. Whether it is accounting data, sales data, CRM (customer relationship management) data, document filing, inventory, research data, personnel data or any other critical information which is created through the normal course of business, external exposure could be disastrous or embarrassing. Here are several places where data could be exposed without care being taken.
-
Data stored on personal laptops or mobile devices which are carried by employees.
-
Data placed on portable hard drives used for server backups (common in many small businesses) and removed for offsite backup.
-
Data stored on portable USB flash drives for ease of transport.
-
Data placed in cloud storage without encryption.
-
Data left on old, obsolete computers which have not been removed from service or have just been left to be 'cleaned up later'.
-
Data on devices taken to an offsite service centre and left for repairs.
-
Data on computers which are located in areas which might be more vulnerable to physical theft like reception areas or shipping docks.
This list illustrates the ways that data moves within your business and how seemingly innocent activity could lead to inadvertent consequences. There are many more you can come up with if you take a walk through your offices and warehouses.
How can you protect yourself?
-
Step one is to build your own list as above looking at each of the areas of your business that might hold critical and proprietary data.
-
Step two is do a physical inventory on a regular basis and keep a record any time a storage device is attached to computers or your main network. Understand why a device is needed and how it will be used.
-
Step three is to consider encryption of all data that is of high importance and storage only in a manner which would make access to the data secure. This type of protection could be built into software you run or may require a secondary step to be deployed.
-
Step four is to communicate regularly to all your employees how important data integrity is to the success and continued operation of your business. Don't let people think that your data is not 'special' just because you do not operate in a highly secure business sector. Your data is critical to your business so its security and integrity is also critical to your business.
-
Step five is document your procedures around data and establish the minimum standards that everyone is expected to meet.
-
Step six is to audit your practices and look for holes that might be introduced over time. Be especially vigilant any time that a new software package or significant upgrade is deployed.
-
Step seven is to consider having an external party do a review of your procedures and systems to see if there are any areas you have missed.
-
Step eight is to develop a regime of questioning about data security. Ask the question with every important business move. Is the data from this action being handled in a secure manner?
Can you guarantee you will never have a breach? Probably not, but you can reduce the potential for an error to a very small level and you can put preventative measures in place that ensure if data ever went missing, its interpretation and access would be very hard to achieve by a third party.
How's your data protocol? Is embarrassment or disaster on your horizon?
Lee K
Photo Credit: By Edward (Own work) [Public domain], via Wikimedia Commons
