Focus On The Data In Data Security

Generally, when IT Admins and business owners think about IT security, they focus on protecting their networks and computers. They protect these devices with anti-virus programs, anti-malware applications, and firewalls. They run anti-spam programs to protect their email servers. Those companies that have more money to spend will implement network access control systems to prevent unauthorized machines from getting on the network, etc.

All of the above technologies are good and necessary components of a sound data security plan. The problem is that most IT Admins and business owners have the wrong focus when thinking about IT security. They need to focus on protecting the data of their businesses in a more holistic manner. Viruses and malware certainly have the ability to steal sensitive data from your business, but your employees do too.

You can no longer protect your network and data like you could in the old days. With web-based email, secure web file sharing applications, SalesForce.com, etc., there really is no inside the network/outside the network boundary that you can protect anymore. Your company's data is everywhere: on laptops, cellphones, USB memory sticks, etc.

You can see why you have to keep the focus your data. Your business data is your key competitive advantage. Keeping your data secure should be your number IT security priority.

So, what should you be doing to protect your data?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
4. Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure email, secure web file sharing systems, etc. that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all.
5. Monitor who is accessing the sensitive data to detect unauthorized usage.
6. Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

As always, feel free to contact me if you have any questions.

Data Security As A Process

Keeping data secure in your business involves three key elements:

1. Finding and implementing good technology solutions to meet your security needs.
2. Communicating with employees about what data needs to be kept secure.
3. Training employees how to use your selected security technologies.

You need to do all three of these things to protect your data. Each one alone will not work. IT organizations tend to focus on finding technology solutions for data security issues because that is what they know and that is what they are comfortable with. Good technology is important but if you provide it and your employees do not use it, then these technical systems will obviously fail to do what they are designed to do.

You must communicate with and train your employees to use your selected security technologies. You have to get your employees to understand the importance of keeping data secure. You need them to be a part of the solution rather than being a part of the problem.

If your employees do not know that they are not supposed to copy confidential documents to an insecure USB drive, how can you blame them when they do? If you implement a web-based secure file sharing system but don't tell employees about it and don't show them how to use it, will you be surprised when they send sensitive files as unencrypted email attachments?

So what should you do to keep data secure in your business?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Find the appropriate technology to provide access to the data while also protecting it e.g. HR applications, secure email, secure file sharing systems.
4. Tell your employees what you are doing e.g. newsletters, weekly meetings, etc.
5. Train your employees on the technologies that you use e.g formal classroom training or informal one on one sessions.
6. Repeat all of the above on an ongoing basis. As your business changes so do your data security needs!

As always, feel free to contact me if you have any questions.

Cloud Computing: Is Your Data Really Safe?

You may have been hearing about Cloud Computing. Apparently, it is the next big thing according to IT industry pundits. The basic idea is that your business can pay for computing power and storage by the minute or hour by using the processors and hard drives of machines out on the Internet.

But wait! Aren't you already doing this by using Gmail, Salesforce.com, web-based email, online file sharing services, etc. Yes, of course you are. Also, if you have your website hosted by a third-party provider or you are leasing a dedicated or virtual server from a server hosting company, you are already using cloud computing.

So, it turns out that the average business is already using cloud computing. The newest cloud technologies that you may hear about are merely an extension of what you are already doing. IT marketers and industry research companies always need to be hyping the next big thing so that is why you will be hearing about the cloud in a big way for the foreseeable future.

Two important questions about cloud computing:

1. How secure is your data out on the web? Can some random server administrator read your sensitive files?
2. How will your business survive a brief or an extended outage of a web-based service that you are using?

Businesses tend to be very complacent when it comes to web-based services. For most people, once they see on a website that the company offering the service has a data center that is secure and that offers 99.999% uptime, they feel like everything is going to be okay, their eyes glaze over, and they do not want to think about data security/service availability anymore.

Unfortunately, we hear about major data losses and service outages all the time in the news like the recent one involving T-Mobile Sidekick where thousands of people were not able to access their data for extended periods of time.

So, what should you be thinking about in terms of data security/availability when it comes to using web/cloud based services?

1. Forget the claims of 99.999% uptime. Think about how your business would be affected by a service outage of 1 hour or 1 day or 1 month. Then, create a plan to handle this situation.
2. If you are storing files/data on the web, make sure that this data is stored encrypted.
3. Don't put all your eggs in one basket. Think about splitting your data storage over multiple providers. Or get your own dedicated or virtual server and provide your own web-based service that you control!

As always, feel free to contact me if you have any questions.