Laptops. Smartphones. PDAs. iPads. We conduct business in a staggering number of ways, and it’s more crucial – and, unfortunately more difficult – than ever to keep electronic information secure. We asked Steve Roth, Rea’s IT director, and Mike Moran, owner of Affiliated Resources in Dublin, for tips business owners can follow to help keep their data secure.
Q: Where do security issues begin?
Roth: Think about security in terms of the data that you own. There was a time where this only concerned servers and computers located on the company’s premises. But, that’s no longer the case.
Data can be stored anywhere from a mainframe, server, desktop computer or laptop computer down to a Personal Digital Assistant (PDA) or smartphone such as a Blackberry, iPhone or Android. You need to have policies and procedures in place to ensure your data – and your customers’ data – is as secure as possible in all of these devices.
Moran: Information can come in many forms from paper applications on a desk, to the list in someone’s head to the perhaps confidential information an employee gives out during a random phone call.
Determine what information is valuable to your business and who has access to it. Then, develop plans to protect it. In the recent WikiLeaks case, an employee who was authorized to access information on a system willfully took it and sent it for publication. It wasn’t a foreign country spying. Whether accidental or willful, we find that employees inside a business are much more likely to breach security than any outside threat. Let’s look at a computer system in a typical business. What things can an owner do to improve data security?
Roth: First, purchase and install encryption software. If someone steals the device, they won’t be able to view your files. Windows 7, for example, has encryption capabilities. There are other encryption applications available, but they must be purchased separately.
Encourage all staff members to save their files to your secure server if you have one, rather than the hard drive on their individual laptops. And if your employees work in the field and need Internet access, provide a secure access channel, typically known as a VPN.
Also, when your business requires customers to supply electronic information, use a secure internet portal.
Moran: Evaluate the types of data you store and how important it is to the company, where it’s located (paper, individual computers, networks, in the clouds, etc.) and who has access to it. Once the kinds of information and its locations are identified, a program can be developed to address access and secure the data.
Q: E-mail seems to be the method of choice today for communication. How secure is e-mail?
Moran: E-mail is NOT secure. A typical e-mail will be routed through 30 different devices between point A and point B. I always tell people don’t put anything in an e-mail that you wouldn’t put on a post card. Plus, someone can easily print or forward an e-mail, and it has limited audit tracking capabilities.
Q: What about the stagnant data that nearly every business collects? Are there rules regarding encryption? In the event of a security breach, are there required notifications?
Roth: Some states require encryption even on a company’s stagnant data. This movement began in the healthcare arena with the HIPAA privacy requirements, and I expect it to expand to other types of industries.
We already see some of this with the Red Flags Rule, designed to detect the warning signs of identity theft for businesses that extend credit. A majority of states have laws in place that require businesses to notify customers when a security breach occurs.
You should also evaluate your procedures for archiving, storing and accessing archived information – either digital or on paper.
Q: Mobile devices are everywhere, especially in business. What can a business do with these devices to help keep their data secure?
Roth: You should require anyone who uses a smartphone to access company e-mail to use a company-provided phone. You will have greater control of the phone service provider and the security level.
If an employee uses a personal smartphone, or even a laptop for that matter, and has access to a business e-mail account, make sure they password-protect that device.
Moran: If a device is misplaced or lost, you should have a way to wipe it clean of all company information such as e-mails and contact lists. And be sure you stay current with risks associated with your approved mobiles devices.
The risks from these devices are just beginning to be explored and exploited. When it comes to the security of your data and that of your customers, it’s always better to be safe than sorry.