Commentary - The term “security breach” can be defined in a number of ways in today’s business environment. It could range from something as innocuous as an employee’s unintentional misuse of data to espionage. Whether accidentally shared or intentionally taken, the loss of vital information and documents has the potential to result in a nightmare for any business. Companies face the loss of customers, lawsuits, tarnished reputation and sizable fines. Consider the following:
- Forty-nine percent of security breaches occur in the business sector.
- Security breaches cost the health care industry approximately $6.5 billion annually.
- A recent study found that the costs associated with data breach recovery ranged between $750,000 and $31 million.
Further impacting the need for security are the many regulations that require the storage and security of important documents. These include HIPAA and HITECH (health care), Sarbanes-Oxley and GLBA (financial institutions) and individual state regulations. While integrating strategies and hardware that protect your network from outside attacks is certainly key, there are a number of strategies organizations should employ at a more basic level that will secure critical information internally and offer a clearer understanding of where data is currently and where it has been in the past.
Restrict data portability
With the increased usage of smartphones, tablets and flash drives, transportable media devices require more extensive security measures. Make sure you’re proactively aware of who is accessing critical data and for what reason. Furthermore, limit access to documents to only those who truly need to see them. So often, public files contain sensitive documents that can be downloaded by any member of the organization.
Create a data lifecycle
Knowing a physical or digital document’s history, from creation to destruction, minimizes the legal risk, regulatory compliance risk and annual expense of data management and storage. Should a document go missing, knowing its history will make retrieval easier. Each department should determine the data or documents for which it is responsible on a day-to-day basis. Certain degrees of variance in categorization will occur across departments, as data usage and the kinds of data utilized may also vary.
Re-examine where data is stored
The location of physical or digital information is often overlooked by companies. In many cases, confidential documents are stored in file cabinets with simple locks that line hallways or in easily accessed rooms. Electronic documents are often saved in un-encrypted “shared folders”, accessible by almost anyone in the organization.
Transitioning to an offsite provider for information management allows companies to enforce stringent controls on the types of information that can be accessed by employees or other interested parties, for both physical retrieval or online viewing. Furthermore, a reputable provider should be able to articulate and provide “end-to-end” security, particularly with digital data: Does the vendor use third parties to convert physical documents to digital images, particularly in the areas of data entry or validation? Off-shoring of these conversion activities to find lower cost labor may result in data “leaking” from an apparently secure environment, to one in which the provider has very little control.
Securely destroy unnecessary documents
After a document’s lifecycle has run its course, it must be properly destroyed. There are infinite ways to improperly do away with obsolete physical and digital documents, and the end result can be catastrophic. Knowing who is responsible for handling, transporting and destroying is critical to avoiding the nightmares associated with improperly discarded documents.
Conduct consistent physical and digital data audits
Regardless of format, knowing what files you have, where they are located and the information those files contain drastically reduces the risk of critical information being altered without detection. With a uniformed understanding of where critical data exists across all departments, the number of employees who may notice a problem will increase.
Adjust policies to reflect current regulations
As compliance laws and regulations evolve, company policies need to stay on top of the changes. Written data security programs and plans should be administered and re-evaluated, along with more stringent social media policies. View your policies as a living document, not a list of laws set in stone.
Regardless of an organization’s mission, securing and managing critical documents must be a top priority across every department. Because information comes in so many forms today, keeping documents secure is infinitely more challenging than it once was. However, failure to protect critical information places a businesses’ financial livelihood and reputation at stake.
Mark Emery is Global Director of Recall Consulting Services.