Guest article by Michael T Mantzke of MySecureDelivery.com
Does your company take digital security seriously? Having a diverse background in computer records/document management and compliance I have learned three things which unfortunately seem to be more the norm than not.
1. Business leaders and corporate executives do not understand digital security, or the value proposition, of such.
2. These same business leaders do not understand the potential liabilities facing their respective organization and themselves as it relates to digital security.
3. These same business leaders do not understand or appreciate the potential threats and vulnerabilities from both internal and external sources.
Data protection and privacy issues impact all business and industry sectors across the globe. Compliance with the law and protecting individuals’ privacy are not just legal issues. Failure to respect people’s privacy or ensure security of their data can severely damage a company’s brand and influence consumer buying decisions.
Law firms now conduct a vast amount of business electronically. Much data is held on emails, word-processing files, spreadsheets and databases. Storing this data and ensuring its security and confidentiality is a major challenge. There is not enough awareness of the security risks linked to the electronic transmission of data between law firms and their clients.
You would laugh at the idea of leaving your office buildings unlocked and unguarded all night, or providing perfect copies of your client’s credit card details to passers-by; but this is, in effect, what you are doing if you fail to take firm steps to protect your company’s client information or intellectual property. The attendant risks and penalties facing many solicitors’ firms crystallised in April 2010 when the Information Commissioner’s Office (ICO), which oversees and enforces the Data Protection Act 1998 (DPA), introduced fines of up to £500,000 for serious data breaches.
Proactive vs. Reactive approaches.
Reviewing the 2012 RSA conferences and the initiatives announced by William Hague at the beginning of September, one can’t help being struck by the number of products and service providers which targeted the reactive space within the security market rather than embracing a clearly untapped need for simple proactive solutions designed to address the problem of digital asset security.
With the uptake on home working, remote access, emails and Bring Your Own Device (BYOD) culture too little concern is shown for the vulnerability of data once outside the enterprise.
So as not to offend the antivirus, antispam, malware scrubbers and countless other disciplines, I would stress these systems are needed to combat threats already identified, or new threats once they have been identified. It is much easier to develop protection schemes against existing threats or vulnerabilities. Additionally, the news and cyber groups play up these vulnerabilities so attention is highly visible.
These same groups also have jumped on the Cloud computing bandwagon. They emphasize that cloud based solutions are safe, secure, and provide adequate security measures designed to protect your data. One needs to look no further than the recent cyber-attack on the US based service Go Daddy to realize the potential vulnerability and accessibility to critical data.
A truly proactive solution to digital security should be designed to protect assets at the desktop at the time of creation or distribution. This localized application for protection and viewing should utilize a strong encryption system, with enforceable security rule sets. A Cloud based component would provide management, tracking, and alerting of digital assets once transported or delivered through any electronic means – Email, Cloud, USB drives, etc.
It is frustrating and worrying that this aspect of security is missing from the security scene. Although there are some proactive systems which attempted to address a proactive approach, these systems were often tied to cumbersome, expensive infrastructures which placed serious constraints on ease of use and distribution. A few cloud based encryption solutions are offered, but the major flaw in these offerings forced the users to upload the unprotected digital asset into the cloud prior to the encryption. Where’s the protection?
A simple, proactive security solution should allow users to operate at the speed of business. If it’s too complex or takes in-depth technical knowledge to utilize, only a handful of people within a company will use it – which defeats the overall purpose of trying to protect your digital assets and your organization. This effect is reflected in a number of failed Digital Rights Management product implementations.
As business leaders you should be asking yourselves some basic questions.
1. Has the question of digital data security, cloud computing, information liability/vulnerability, and the associated risks been asked and answered to your satisfaction?
2. Are business, data, and liability initiatives in line with today’s technology trends, security measures, and countermeasures?
3. How does your business or agency control who can access sensitive information once it is sent out via the Cloud or email?
4. How do you protect your customer or client information?
To put it simply, if you are not in control of your digital information as it’s created and distributed, everyone else will be. Businesses and Governments shred any document that could be used by information hijackers and identity thieves. These same disciplines need to be applied to your digital assets.
If you are serious about the matter of digital asset security I recommend the following.
1. Educate your respective staff members on vulnerabilities which present liabilities to your organizations.
2. Review your policies regarding the creation and processing of digital assets, especially if your digital assets are being sent outside your organization.
3. Seek a solution which provides strong encryption prior to sending your digital assets offsite.
4. Automatically enforce polices to truly have consistency in how your digital assets are protected and handled.
I’ll leave you with the following to consider. Have we, as a society, sacrificed security for simplicity? And if we have, are we ready and able to handle the consequences? Protect your organization by protecting your digital assets.