Securing Company Data
The popular tools and technologies of modern daily life, like mobile phones, webmail, instant messaging services, removable storage media, and wireless access to the Internet, have given everyone the ability to easily carry and handle large amounts of data. Alongside this ability to carry data, critical organisation data has more ways to "escape" to storage in personal devices or public messaging services, and ultimately leak out into the public domain.
Data protection used to rely on a strategy of physically shielding the raw data, that is restricting access to the bits and bytes stored in mainframes, on tapes or on disks. Such a strategy today is not effective enough in protecting data, as static shields are not applicable to modern business practices. Public clients (computers and mobile devices) are communicating with company severs using compatible interfacing standards, so anyone is able to access and interpret data from any source, provided the channels and opportunities exist.
The following are some tips for protecting your company data:
Staff awareness & responsibility: It is of the utmost importance that internal staff are fully aware of their collective responsibility through education and regular reminders, so that the importance of information security is not forgotten or overlooked. Each employee must be fully aware of his or her own responsibilities, their restrictions on information access, and disciplinary action that would be taken for any breach of security.
Regular assessment and policy: Before making any changes, it is a good idea to assess the information systems within and across the company, and identify areas that need improvement. A security policy should be established to govern the development of subsequent guidelines and procedures. It is also important that ongoing assessments are carried out regularly so that existing procedures can be updated and refined to changes in working conditions and new technologies.
Data classification: Not all data may be of the same level of importance or sensitivity. Company data should be prioritised according to its security level, with security effort focused more on the most important data first.
Access restriction: Access to software and classified data should be restricted to authorised personnel only. Authentication with passwords and tokens are common techniques for access protection, and different authorisation profiles are often applied to different users according to their roles. Audit trails are supplementary to authentication, and comprehensive activity logs provide useful information for refining the effectiveness of security measures. Data encryption provides another level of protection to guard against unauthorised data access.
Mobile device protection: Mobile computing devices, along with the data inside, can easily be lost, either through theft or being left unattended. Physical protection methods, such as cable locks, are always a first line of defense. Additional authentication requirements, such as passwords, guard against unauthorised access. Users should judge the risk and necessity of storing classified information on these devices, and in any case backup their data regularly.
Network Protection: Protection from intrusion or attacks launched from the Internet is a big topic. A number of products including firewalls and proxy servers are already available that provide a degree of data and system protection, but it is often necessary to assess the individual architecture of a company's data system, and design protective measures specifically to address the needs and nature of that business. Regular scanning of hard disks and removable storage media, together with timely updating of patch and virus signature pattern files and malicious code definition should be performed.
Public Channels: Public channels of communication such as instant messaging (IM), wireless Internet access and public webmail services are possible carriers of corporate information. Measures to control their usage in the office environment are sometimes necessary:
Develop a clear communication usage policy and disseminate this information to all staff;
Consider implementing an equivalent Enterprise solution instead of using public communication services;
Implement gateways with security protection systems in place;
Disable insecure services such as the remote activation
Disposal of Computer Equipment: When disposing of old computer equipment or media containing non-volatile data, procedures must be in place to ensure all information and data has been removed, such as physical destruction of the media itself, or by overwriting or reformatting the data stored on the media.
Data loss prevention: In some circumstances, it may be advisable to prevent staff from bringing personal belongings, including mobile phones, into the work area. This can help eliminate some of the opportunities for theft of data. Critical or sensitive data could be stored in an encrypted folder of the virtual machine, and its operational data would then be encrypted automatically.
Self-assessment on data security measures: Use the Data Security Scanner
provided by the Office of the Privacy Commissioner for Personal Data, Hong Kong to conduct a quick and easy self-assessment on the sufficiency of data security measures for information and communications technology systems.