Managing Security & Privacy Risks
By Julie King | October 31, 2009
Businesses were given another good reason to closely protect personal information in their care last week; it is now a criminal offense to transfer or sell information without considering the possible criminal uses of that information.
Privacy and data security are something most businesses would like to do, many do not spend the time and effort needed to do it well.
As a result there is a tendency to focus on protection of the company's computer systems and hope that is enough. However this approach is likely to fail because it is focused on systems and machines, rather than the data itself.
When you look at it from a data viewpoint, it becomes clear that there are many ways data can be stolen and hackers are only part of the risk.
Claudiu Popa is president of Informatica Information Security and author of The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises. I spoke with him to better understand what the ideal security toolkit would look like for small businesses.
Understand the issues
As a starting point, Popa recommends that you think about information as a tangible asset. Not all of the information in that asset belongs to you, so you can't afford to treat it casually.
Data theft is a rapidly advancing area of crime that changes every day. Attacks often happen on the computer or network, but focusing on the technical systems alone does not go far enough. The main risk to your data lies not in the IT systems that protect it, but in the integrity and knowledge of the people you allow to access the data.
Popa explains that a good privacy and data security solution will have three components: technical, physical and educational.
Use a layered approach
The ideal solution, Popa says, is to take a layered approach. The idea behind a layered solution is that if a criminal penetrates through one layer, you have sufficient security in place at the next layer to neutralize the attack.
The process of developing a layered solution begins with visualization. You need to map out the different types of data you have, where that data is stored, how it is accessed and the different ways that data enters and leaves your organization.
There are three main types of protection controls that can be used to protect your data, which Popa calls the CIA Triad:
- Confidentiality controls stop unauthorized people from accessing sensitive information like payroll data or email addresses of your customers.
- Integrity controls prevent unauthorized people from adding, altering or deleting company data.
- Availability controls help ensure that your business data can be accessed by those with authorized access.
Some of your data will be public, for example the company portfolio, in which case you will be concerned with the elements of Integrity and Availability. For confidential or secret information, your main concerns will be Confidentiality and Integrity.
Data mapping: ask the right questions
How do people interact with the data? How do computers interact with it? Where is it located on the network? How does data move between your company, customers and suppliers?
You need to be comprehensive in your approach because any hole is a potential vulnerability.
Once you have identified the places where your data can be accessed, it becomes easier to develop a plan to keep that data safe. Find the weak points and take steps to add layers of protection.
Here are some common questions businesses need to ask.
- Is our wireless network protected with a strong password and other controls? What about our wireless Internet connection?
- Do we have a secure, off-site back-up?
- If we had a catastrophic data failure, could we quickly restore all our company data with minimal down time?
- If a laptop was stolen, is data encrypted? Could a thief easily access all the data on the computer?
- Are our smart phones protected?
- Are confidential online communications encrypted?
- If a computer or server from the office was stolen, would the thief be able to break into the data or do we have adequate encryption / password protection in place to prevent that?
- When using a laptop in a public place, could someone easily read confidential information over our shoulder or do we have a filter screen that will prevent shoulder surfing?
- If we are using voice-over-IP (VOIP), is it secure?
- When we dispose of a computer, is the data really wiped from the machine or could someone easily restore that data?
It helps to recognize that data security is an entire end-to-end profession guided by international standards. Don't expect this is something you can quickly address with a $99 solution. You will likely need expert help for proper privacy and data protection.
In addition to security professionals, Popa notes that there are an increasing number of insurance companies that will help you protect your data. The insurance company can provide guidance for making sure your data is secure and insure you against a possible data breach.
Education of your staff and third party contractors is a critical component of privacy and data security. Anyone who can access your data, including janitorial staff, needs to be trained.
Popa notes that education often takes place once a year, with the first year taking the longest time. Training should be tailored to the security solutions that you have in place in your business.
In addition to classroom training sessions, there are online courses you can use to certify your staff and contractors. Popa's company offers an online training certification program that costs $99 per person and you can find other courses online as well.
If you do the training yourself, it is a good idea to test each person when the training is done. Have everyone sign a document saying they were trained, along with the score they achieved, in the company's privacy and data protection procedures. Hopefully you will never need to use this information, but if there is a data breach by an employee or contractor this documentation will help you in court.
Stay informed, stay protected
Issues around privacy and data security are constantly changing. New vulnerabilities emerge each day. For small businesses, this means that either the business owner or an assigned staff member needs to stay on top of emerging threats.
In the next issue of CanadaOne we will continue to share insights from Popa as we look at how you can secure your office network, computers and peripherals like laptops and smart phones.