Securing Company Information

by GOsafeonline | 10 March 2011

Your company is a mine of information. Whether you are a manufacturer of advanced components (with vital blueprints kept under lock and key) or a public relations firm (whose familiarity with the top travel journalists in Europe is the key to your success), your company survives and thrives on what it knows.

And information theft may not only lead to a loss of productivity or profitability (as vital business information needed to keep the company going might be missing or in the hands of a business rival) but it will significantly erode consumer confidence in your business (as it is clear to them that their personal data is not safe with you).

So, how can you secure your company’s data?

Step 1

Know what information you have (e.g. customer data, intellectual property, employee data, etc.). This is critical to classifying it and knowing how to protect it.

For example, access to confidential information (such as the company’s financial records) should be strictly controlled and limited only to senior personnel who need to utilise the information regularly. Access to the information should be monitored and controlled through a secure log in system that notes who has viewed and/or downloaded information from where and when. And a person’s access to the information must immediately be removed, once they leave that position.

Step 2

Be aware of where your data is stored (e.g. servers, laptops, smart phones) and how it is shared (e.g. instant messaging, email, email attachments, blog postings by employees). From this, you can assess the key ways in which your data could be at risk.

For most businesses, this would include:

  • Employee information theft (when employees themselves abuse the trust put in them by extracting and misusing valuable company information);
  • Hacking (computer programs developed specifically to break into systems, often via viruses and other malware sent through emails or unknowingly downloaded onto users’ computers when they visit malicious websites); and
  • Social engineering (activities performed by criminals to manipulate users into providing confidential information through the use of phishing, identity theft, spam, etc.).

Step 3

Once you know how your data could be at risk, you can develop ongoing employee awareness programmes to help them understand the threats to your information, the impact these threats could have on your business, and how to appropriately secure the data regardless of which application or device you and your employees are using.

For most businesses, this would include:

  • Controlling employee access to confidential information (as in the example given under Step 1);
  • Ensuring that employees use strong passwords that are kept private and regularly changed;
  • Regulating employee access to social media (e.g. Facebook and other social networking sites) and non-corporate email accounts (e.g. Hotmail), to limit their ability to deliberately or inadvertently leak confidential information;
  • Reminding employees to practice safe surfing habits, such as not opening suspicious emails from unknown senders or with vague subjects that are not work-related, and ensuring that they log out of secure websites when they are finished using them;
  • Educating employees about the risks and dangers of phishing scams and other social engineering activities;
  • Ensuring that the company’s anti-virus software and firewall are up-to-date; and
  • Clearing old equipment of confidential information before disposal.