The issues of privacy of IT data never seem to end. The Canadian Government privacy commissioner recently reported that data breaches are up again in government circles. Part of the increase may be due to a higher vigilance on the part of agencies and the commission which now is supposed to be notified by any government agency which has a breach.
It appears that many of the problems still involve human error and somewhat sloppy practices and the office has issued a tip sheet for users to try to help them avoid the easily avoidable problems. Such tips as; physical controls which suggest locking portable materials in secure locations (cupboards) or where acess is restricted, technological controls like encrypting data on drives, USB sticks etc., putting serial numbers or identifying codes on devices to make them easier to track and finally avoiding the use of portable devices for storing personal data as much as possible.
These kinds of tips are suitable for other organizations as well. What would the result be if your company leaked a supplier's supplied pricelist to a public source? How many of your employees are carrying unencrypted portable devices which contain important company data which could be of value to competitors?
Often the focus of SMB data security is the inhouse network and maybe any cloud operating tools you may have. In many instances the portable devices which are connected to the network or used for convenience in field operations are not considered to be a potential for a serious data leak. The stored message trail in a cell phone could offer clues to your operations if it was found by the wrong person.
The more portable a device is, the easier it is to lose it in the normal daily operation. Sometimes when these kinds of devices are lost there is little effort made to ensure that the information they contained was secured. Luckily in most instances there is little impact but in the case where they fall into the wrong hands the impact could be serious. Steps taken to avoid problems are worth taking. Even simple password protection of a cell phone is one step that could help.
One of the key potentials for securing your data is to make sure that it does not fall into the wrong hands internally as well. Often there is little effort taken to compartmentalize data to ensure that only those employees who need access to specific material have the ability to do so. The use of uncontrolled central hard drives, the "friends" drive as one client calls theirs, can make it easy for anyone to delve into extra material. The assumption is that no one will spend time trolling around to look at other data they don't really need to have and this assumption is usually true.
Unfortunately, it is not always true and it is usually the disgruntled or unhappy person who has been inadvertently given the keys to the kingdom that could create the ultimate problem.
A time to be especially cautious with this type of access is just before an employee is terminated or when someone is about to leave, even on good terms. Being able to leave with your information may be something which is unexpected but it does happen.
Government data breaches are usually public knowledge, especially the large ones, and we are seeing similar situations with large corporations where public personal data is exposed.
SMB data can be just as important to those who are subject of the data stored, be it patient files, insurance information, or whatever. Using solid data protection procedures is a first line of defense against having to communicate the embarrassing and costly story to your clients that their information has been compromised. Better to put the effort into protecting it up front than to having to deal with the result of a failure.
What steps do you take to control data breaches? Do you have a documented process? Do you train your people to know what to do?
Photo credit: By sookie from Toronto, Canada [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons