By Vincent Ferravanti, Principle, Ferravanti & Associates, [email protected]
You may have heard of the recent spat of customer data being stolen from several companies and thought that because you did not have customer credit card or social security information you were safe. Well, you’re not! Recently, two laptops were stolen with the names and social security numbers of Motorola employees, putting them at risk for identity theft. Because of such incidents, new legislation is being considered by the US congress that could require your company to encrypt sensitive personal data and submit your security policies annually to the Federal Trade Commission for approval. Failure to do so could result in steep fines or criminal prosecution.
Gone are the days when the majority of security breaches were the result of outside hackers “breaking in” to company computers. You are now more likely to have data stolen by a temporary employee working on an unsecured networked PC, or off of an employee’s stolen laptop or even PDA. With the availability of small, easy to conceal memory-cards, phones, and iPods with gigabits of storage space, your customer and or employee data can be “gone in 60 seconds!”
The good news is that by adopting some simple security policies you can block most of these thefts. If you think of your company as a castle, then, to date, most of the security effort has gone into building high walls and motes (fire walls and intrusion detection systems) to keep out invaders. However, the new threat is inside those perimeter walls, so you must now think about setting up barriers between these potential threats and your sensitive data. The following four steps provide a framework to follow in securing your data.
First: Identify. The first step is to determine what data needs to be secured. Personal information, names, social security numbers, and credit card information may not be the only information you need to secure. Ask yourself what the impact to your business would be if other key corporate information were to be made public. Pricing data, product margins, and other financial data may also need to be secured.
Second: Uses. Identify where this information is used. The data is most likely collected in a database used by a key application such as payroll, accounting, or your ERP system, but it is almost always extracted into reports, spreadsheets, and other secondary applications. You need to identify everywhere the information is used and stored in order to properly secure it. Do not forget about backup versions of the data that may be stored in or out of house.
Third: Access. You now need to draw up policies regarding who will be allowed access to this data and how you will audit that access. If you have done a Sarbanes-Oxley implementation, a lot of this work may already be done. If not, you need to define who needs to access what data and how you are going to audit the processes of assigning data access and actual data access. These policies need to be clearly stated and explicitly communicated through your Human Resources group.
Fourth: Secure. The data must be secured at its source and in every other place it is stored or accessed. Restrict access to the information based on the access policies you drew up in the previous step. Do not neglect policies for hard copy versions of the data. These hard copies need to be kept under locked and key and shredded when they are no longer needed.
All electronically stored data should be encrypted. Encryption is a way of encoding data so it is useless with out the decrypting key. This is especially important for data that is taken off site, such as backups or executives’ laptop computers. If the data stolen on the two PCs mentioned earlier were properly encrypted, the data would have been useless to the thieves. Microsoft’s operating system provides some basic encryption tools; you may need additional tools depending on how your data is stored and accessed.
Review password policies and any other form of user identification being used to secure systems. Putting an access policy in place without using secure passwords is like locking a house and then giving every one a duplicate key. If you have been losing the password battle consider some of the new biometric or electronic key systems that add a second layer of user identification to system access security; some systems can even be integrated into site security systems.
No matter how small your operation, you may soon be required to secure your data. Given that a data breach could destroy you company’s reputation with customers or employees, why not get started now and sleep a little easier.
About Vincent Ferravanti
Vincent Ferravanti has 20 years of experience bringing increased profits to companies by designing and implementing "best in class" systems. Vincent has worked for Fortune 1,000 companies as well as startups, and he understands the different challenges big and small organizations face. Vincent consults to companies on a variety of IT issues including Data Security and system integrity and compliance. He can be reached at Ferravanti & Associates, [email protected].