There are two things information security consultants are all-too familiar with seeing:
- The look of despair on a client’s face just after they’ve suffered a network security breach.
- How that same client appears when their security gaps are remediated, and they discover new ways to share sensitive information safely.
Just like with any technology, security measures are only as effective as the policies and practices applied to using them. It only takes a temporary lapse of judgement, or a simple misunderstanding by a well-meaning employee to expose sensitive files, company intel, or your customers’ confidential data to opportunistic hackers.
Here are five practices you can build into your company’s information security strategy. When executed correctly, they’ll save your firm a great deal of stress, money, and safeguard your reputation.
1. Encrypt all data stored in the cloud
Simply put, encryption protects your data, whether it’s stored in a data center or being transmitted around the Internet. Encryption protects your data from all unwanted eyes, including business partners, competitors, malicious hackers, and even regular people who have no business knowing your company’s sensitive information. Encryption is most effective when it’s ubiquitous and integrated into your existing workflow; you shouldn’t have to turn on/off data encryption, it should be an automatic process when sharing files via the cloud.
Look for cloud solutions that offer the strongest block ciphers available, 256-bit advanced encryption, and meet industry security compliance standards, such as:
- PCI DSS
- AICPA SOC 2
- ISO 27001
Not only do these security standards help protect your sensitive data, they also demonstrate to potential clients that you take information security seriously, establishing trust and credibility in your industry.
2. Manage file access permissions
Although data breaches from external attacks often get the biggest headlines, data loss is often a result of employee error. Define who needs to have access to specific client data, how to remove permissions should an employee leave the business, and the rights your staff should have to print, email, export or save documents outside of your designated cloud or on-premises software.
If an attorney, account manager, finance administrator or other employee isn’t involved in the day-to-day interactions with a client, or doesn’t need oversight into the process of that business, they shouldn’t have rights to view, delete or even know that certain files exist. Keep a tight line of permissions around client files, and the likelihood of data leaking drops rapidly.
3. Protect data across all applications and devices
It’s a real double-edged sword: laptops and mobile devices equipped with cloud applications make it easy to access files from outside the office, helping move business forward despite physical boundaries. However, file sharing outside your network firewall, especially via the cloud, introduces a number of vulnerabilities to your information.
You can establish policies on the sorts of files which can be accessed outside the office. Or, you can adopt a data protection system that offers secure mobile applications for Android or iOS devices. Do your employees or customers prefer to use cloud services like Dropbox or Office 365 for email and client files? Virtual data room applications, integrated to these cloud services increases adoption and appreciation for secure collaboration.
4. Stay current on news and trends
Hackers never sleep. New malware, vulnerabilities and “zero day” attacks occur frequently. Don’t let malicious attackers, or even your competitors, get their hands on information that is critical to your business or the privacy of your clients. Companies that are dedicated to managing the private affairs of other organizations and individuals are often have the largest target on their back.
Keep up to date on the latest strengths, weaknesses, opportunities and threats by following the CapLinked blog and other reputable infosec news sources, especially Twitter, which can provide near live updates as data breach stories emerge. Knowledge is the key to protecting your company against data leaks, so make sure to keep your entire organization up to speed on new technology and vulnerabilities.
5. Have a plan of action
Once the network perimeter is in place and cloud applications are secured, you still have to devise a strategy for what you should do if a security breach takes place. A dedicated team needs to define:
- What information assets exist, and where/how are they managed now?
- Who are the prime points of contact (internally and externally) should a breach occur?
- What is the communication plan to customers should a breach occur?
- Are there financial, technical and/or backup resources for remediation in case of a breach?
Like with many things in life, when you fail to plan, plan to fail. If your company experiences data loss, your recovery and containment activities speak volumes to customers and internal stakeholders.
Information security isn’t a project with finite beginning and end dates. Solidify and streamline your policy, communicate it to all employees, and consistently review and test it to ensure your entire organization is keeping up with emerging threats.