Way back in the 1980’s, there was a very simple way to keep computer information from being stolen. Every disk containing confidential information was locked in a Sargent and Greenleaf safe.
Of course, even then, there were problems: 22,000 or so 3.5 inch “microfloppy” disks hold the same amount of data as a 32 GB thumb drive can hold today. The safe got a bit full, and it was difficult to find your disk in that haystack.
Now there is the internet, and tablets that are fully-functioning computers, and cellular telephones the size of…tablets. Cell phones can take pictures, record conversations, and send data anywhere in the world.
For example, Stephen Ward of Owensboro, Kentucky sold a digital copy of a confidential manual for the RQ-21A Blackjack drone aircraft to an FBI undercover agent. For more on Mr. Ward’s conviction, see the Yakima Herald article. Of course, some people just give electronic copies of government secrets away, like Edward Snowden and Bradley Manning.
The insider threat to data security, also called “cybersecurity” is no longer somebody else’s problem, nor merely an information technology (IT) problem. Cyber crimes are everyone’s problem. And everyone at your company needs to be part of the solution.
This does not mean that everyone must be subjected to lie detector tests or threatened with waterboarding if they accidentally lose their cell phone. It does mean that everyone must use a little common sense about their use of company resources, and it also means the company should have reasonable IT safeguards.
Many people use workplace-provided laptop computers to do their jobs from somewhere other than the office. That alone isn’t a problem, but having open access to sensitive corporate data via the coffee house wi-fi, or allowing wireless access to proprietary data, might be. Some employees absolutely must have the latest and greatest devices to be more productive. These next-generation devices may also have…the ability to access confidential data without leaving a trace. Then there are personnel that just leave devices lying around unattended. All of these situations must be addressed.
Because not all data is proprietary, a good place to start is determining what data needs protection. For example, if your company stores or works with Protected Health Information (PHI), that data probably needs to be secured. Although this step may seem somewhat obvious, in July 2013, four million people had their PHI and social security numbers compromised, and another breach in 2011 affected 4.9 million people.
Once the confidential data is identified, secured storage for that data may be appropriate. Separate storage that is only accessible by certain employees, or other limitations on access may provide your proprietary data with additional protection. To ensure your secrets remain secret, you may want to do what the CIA and NSA do: encrypt your data.
No matter how safe the computer systems are, if you have inexperienced or untrained personnel, you have a big hole in your security system. Training your employees how to maintain data security on an ongoing basis should help maintain their awareness that the data is important and needs to be protected. Update your security training and your security system if new projects or data needs additional protection.
When you disseminate proprietary information, just because the data is no longer in your control doesn’t mean you shouldn’t take steps to protect it. Secure all data, and record the dissemination that is outside of normal avenues of access.
In other words, have a cybersecurity program that fits your business. Keep your employees aware of how to maintain security of the data in your systems. And every now and then, make sure that your confidential data cannot be retrieved by a teenager using their newest cell phone.
Or you can go back to the floppy disks and a safe. Kind of difficult to drag that into a business meeting, though.