Forty-five states now have security breach notification laws. Numerous federal laws and regulations require breach notifications and some, such as In days gone by, we tried to protect data by forcing people to store documents on secure network servers housed within our brick and mortar. Thing have changed. Laptops, cell phones, PDAs, flash drives, and dozens of other devices are now common repositories. Even on-premise servers are generally accessible using technologies like VPNs (Virtual Private Networks) and other remote access technologies. According to IDC Analyst Cynthia Doyle perhaps 60 percent of corporate data resides unprotected on PC desktops and laptops.
Technologies such as Colligo Contributor Client replicate documents locally, synchronizing content to a local encrypted data store leaving copies of documents scattered numerous computers which are not under the LAN’s security umbrella.
The first task is to find out where confidential data resides. This process will likely result in some surprises and unless there are policies and procedures governing where and how secure data is stored, they must established.
A good source of guidance on such policies and procedures is the SANS Institute (http://www.sans.org/security-resources/policies/). For example, the sample Information Sensitivity Policy defines requirements for classifying and securing an organization's information in a manner appropriate to its sensitivity level. Defining what information is confidential and ascertaining its physical location is a necessary first step to establishing comprehensive approach to securing confidential documents.
Solutions for Documents Stored On Servers
Protecting documents stored on servers is fairly straight forward. These servers should always be behind “professionally managed” firewalls. This professional management could come from internal IT staff (if there is one) or a third-party consultant. Simply installing a hardware firewall and assuming it is running correctly isn’t the same as having a professionally managed firewall. Organizations like SecureWorks, Paladion and VeriSign provide professional firewall management with 24x7x365 monitoring.
Next, encrypt data on servers. Both Microsoft Windows Server 2003 SP1 and Microsoft Windows server 2008 R2 can provide full-drive encryption yet almost nobody is using this protection. If someone steals a small business server from an office having whole drive encryption enabled could save a company from going out of business and make the event just a bad day at the office.
Solutions for Documents Stored On Endpoint Devices
(Desktops, laptops, phones, PDAs, flash drives)
In 2006, reported laptop thefts increased by a whopping 81 percent. This was when thieves discovered that the information on stolen laptops is far more valuable for ID theft than the value of the laptop. One in ten laptops will be stolen in its lifetime, less than 4 percent of these laptops are recovered, and most business of these contain confidential data. More than half of laptops are stolen from offices and according to the Microsoft Security Intelligence Report Volume 6, the largest cause of security breaches is lost or stolen equipment.
Encryption is once again the answer for securely storing data on desktops, laptops and other portable devices. Products like TrueCrypt, PGP Desktop, BitLocker from Microsoft, Beachhead Solutions, and MacAfee Endpoint can secure not only documents and data on local hard drives but can also encrypt email and data on flash drives and other external hard drives. The best of these solutions also provide for centralized management. PGP Desktop and Beachhead Solutions, for example, provide Lost Data Destruction (LDD) capabilities which allow the user to remotely destroy data on lost or stolen computers as well as monitor their location.
For handheld devices like iPhones, Blackberrys, Palms and Windows CE devices, inexpensive software solutions provide both secure login and LDD. The iPhone can require users to login before accessing data like contact information although I have yet to see anyone (other than members of the K2 team) utilize this feature. Inexpensive products like Mobile Me can locate a lost iPhone and/or remotely destroy all data on a device. Other devices like the Blackberry, Palm devices and Windows CE devices have similar software available. In many cases, these devices (ex. the Blackberry) come with very good encryption built in but very few people utilize it.
ConclusionFailing to secure confidential customer, client, and internal business information can have disastrous results. The solutions are also clear and represent well-established and easy-to-implement solutions. These solutions almost always involve encryption technology which is plentiful and inexpensive. Lots of people who fail to properly manage these risks will luck out and get by without incident. Some will not fare so well and will suffer substantial financial losses and even business failure. With clearly defined, relatively easy to implement, cost effective solutions available to mitigate these risks, what will you choose?