Keeping sensitive information secure from theft and vulnerability in today’s digital world isn’t as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. And even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable to date theft or data leakage. Use our contact form to help us contact you for Data safety advice.
At IctTel Uganda, we specialize in helping businesses manage and secure various types of company data. Our top priority is helping our customers keep their sensitive data where it belongs and as secure as possible.
The biggest mistake companies make when it comes to securing sensitive data is…
According to the President of System Experts, Mr. Jonathan Gossels a network security consulting firm specializing in IT security and compliance, The lack of understanding where their sensitive data resides because they have not set policies to systematically and consistently categorize their data, and consequently, they don’t have controls in place to ensure that all categories of data are handled appropriately.
For example, if a company has a policy that says any data set that contains personally identifying information is considered to be “sensitive” and has to be encrypted both in transit across a network and at rest, and the company has implemented technical controls to enforce that policy, it is very likely that the data set is safe.
There is also a user education dimension to this problem – users need to understand the sensitivity of the data they work with and their role in keeping it safe. In many cases, this involves educating users about what not to do.
For example, access to payroll data is usually restricted to those employees that process the payroll and those that review it. This is usually done within a payroll application that has built-in security and access controls. Payroll data and similar data sets should NEVER be downloaded onto an unsecure laptop, thereby undermining all the required controls. As in a very public data breach that occurred a few years ago, when this laptop was lost, millions found themselves risk for identity theft.
The best way to secure sensitive data is to do the basics well (like blocking and tackling in football). Understand what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is actually handled properly, and educate your users about their role in keeping it safe. Use our contact form to help us contact you for Data safety advice.
Borrowing Chuck Davis’ compliment, the biggest mistake companies make when securing sensitive data is not properly classifying it and protecting it against current threats.
There are three essential parts to proper protection of sensitive data.
- Data Classification – Companies must understand what data needs to be protected and create a Data Classification Policy to classify data based on sensitivity. At a minimum three levels of data classification are needed.
- Restricted: This is the most sensitive data that could cause great risk if compromised. Access is on a need-to-know basis only.
- Confidential or Private: This is moderately sensitive data that would cause a moderate risk to the company if compromised. Access is internal to the company or department that owns the data.
- Public: This is non-sensitive data that would cause little or no risk to the company if accessed. Access is loosely, or not, controlled.
- Encryption – Encryption is a very generic term and there are many ways to encrypt data. Companies need to implement and manage encryption correctly. The key to a good encryption strategy is using strong encryption and proper key management. Encrypt sensitive data before it is shared over untrusted networks (ex. Encrypted Email, Encrypted file storage).
- Cloud Misuse – Storing data in the Cloud equates to storing your data on someone else’s computer. Once it’s there, you no longer have control over it. If that data is Classified or sensitive, encrypt it BEFORE uploading to the Cloud. If you will be sharing keys with the Cloud provider, make sure you understand the Cloud provider’s policies. (ex. What is their backup policy? Who has access to your data? What’s their data breach communication policy?)
By understanding what you’re trying to protect, and creating a strategy to protect each level of data appropriately, companies can adequately secure data against the threats of today.
Chuck Davis, MSIA, CISSP-ISSAP is an Author, Professor and Senior Security Architect. He teaches Ethical Hacking and Computer Forensics classes for Harrisburg University and is a Senior Security Architect at a Fortune 500 Company, having previously worked as a Security Operations Manager for IBM. He holds the CISSP and ISSAP certifications from (ISC)2. He also co-authored two books on the subject of security, holds four patents and has four published invention disclosures. He has been a speaker at numerous security conferences and was a featured guest speaker a Hacker Halted Conference in Mexico City and Atlanta, GA. Use our contact form to help us contact you for Data safety advice.
According to Jeremy Ames, The biggest mistake companies make when it comes to securing sensitive data is differing standards of data security.
More specifically, in most companies, executives are held to a lower standard of data security than the rest of the employee base. They’re allowed more leniency in terms of BYOD and in general they operate more freely outside the corporate firewall, which is a huge mistake.
The reality is that if a group is out there trying to plan a cyber-attack, they’re most likely to target a member of the C-Suite, particularly the CEO, because they know he or she is going to be the holder of the most sensitive information.
That means that executives need to be even more diligent than the rest of the employee base, because if information is compromised it could have damaging financial and legal ramifications. That being said, most companies fail in the three-pronged defense necessary to protect executives:
- additional focus by IT
- continued education by HR and
- personal responsibility by the executive
Jeremy Ames is President of Hive Tech HR, a technology consultancy that helps companies find, implement and enhance their HR systems. He is a member of the 2014 SHRM HR Management and Technology expertise panel, and former CFO of IHRIM, an association for Human Resources Information Management. Jeremy has been quoted in many articles dealing with the securing of HR data, including a SHRM article entitled “Prevent CEOs, C-Suite Executives from Getting Hacked” and a recent article about the Backoff virus. Use our contact form to help us contact you for Data safety advice.
Kevin D. Murray
This is a great question and my advice comes from almost 40 years of experience. The biggest mistake companies make when it comes to securing sensitive data is Tunnel vision focus on IT security.
All pre-computer era information theft tactics still work, and are still used. And, most “computerized” information is available elsewhere before it is reduced to data.
Effective information security requires a holistic protection plan. IT security is an important part of this plan, but it is only one door to your house of information.
Here is The Holistic Approach to Information Security
- Begin by protecting information while it is being generated (discussions, audio and video communications, strategy development).
Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices and conference rooms on a scheduled basis. Ford Motors found voice recorders hidden in seven of their conference rooms this summer.
- Protect how the information is transmitted (phone, teleconference, Board meetings, off-site conferences).
Remember, wiretapping and infiltration are all still very effective tools. Check for wiretaps on a scheduled basis, or encrypt the transmissions. Conduct pre-meeting TSCM inspections. Never let presenters use old technology FM wireless microphones. They broadcast further than you think.
- Protect how information is stored.
Unlocked offices, desk and file cabinets are a treasure trove of the freshest information. Print centers store a copy of all print jobs. Limit written distribution of sensitive information. Crosscut shred sensitive waste paper. All these vulnerabilities and more should be covered during the security survey portion of your TSCM inspection.
- Educate the people to whom sensitive information is entrusted.
Security briefings don’t have to be long and tedious. Establish basic rules and procedures. Explain the importance of information security in terms they can understand. “Information is business blood. If it stays healthy and in the system, your job, and chances for advancement, stay healthy.”
Kevin D. Murray, CPP, CISM, is a TSCM specialist providing electronic/optical surveillance detection and counterespionage consulting for business and government. New York area headquarters, with services available worldwide. Use our contact form to help us contact you for Data safety advice.
Meeting the Mobility Challenge
Mobile device threats are increasing and can result in data loss, security breaches and regulatory compliance violations. You can take a number of steps to reduce the risks they pose and address related productivity issues and legal, privacy, and security requirements. These steps are similar to those involved with other security issues — such as robust program and policy creation, communication, risk assessment, technology implementation, and continuous monitoring and evaluation — but are tailored to the unique challenges associated with mobile devices. With well-supported mobility and security awareness programs in place, your organization can keep users happy and your network secure, so you can compete effectively in today’s mobile-first environment. Use our contact form to help us contact you for Data safety against hand held devices.