The wider market has seen a stream of vulnerabilities and data thefts throughout this year. Despite increasing efforts to stem the flow, the emphasis needs to be on prevention rather than cure, beginning with a clear understanding of your data and how it can be accessed. For example, this month Yale University acknowledged that a recent change by Google to include searches on FTP servers had led to the potential exposure of sensitive personal information for over 43,000 students. Given that many FTP servers are used to share corporate information more securely, many organisations may find themselves having to manage similar data security issues that are not within their control.
At Lumison, we propose the following best practice for data management and protection for you to consider in your own organisation, based on three key tenets for internal and external threats:
1/ Separate what is externalised data.
It is crucial to ensure that all data published or presented externally (including FTP repositories) meets your organisation’s requirements for privacy, security and authenticity. (Except in instances where this data may be mined or searched as your ability to control access may be limited.) Data and information can now be exposed through a multitude of social media channels. Organisational policies and checks must be extended to keep up with the various data sources to highlight and plug any potential gaps or vulnerabilities.
2/ Ensure appropriate security is applied to internal data repositories and stores, particularly personal information.
Historically, many organisations have responded slowly to data storage requirements or failed to remove duplication of records. Users may have selected tactical storage solutions such as removable media drives, cards and online storage solutions, e.g., Mesh and Dropbox. Although these solutions can provide effective storage, the data moves outside of your control and must be secured. Understanding, policing, and managing encryption on removable and online data repositories enables businesses to blend flexibility with the security needed to safeguard the integrity of individual and corporate data.
3/ Audit your controls.
Changes made by others (including third parties) may impact on your strategy. It is also important to ensure you do not rely on the security policies of others to enforce your data controls. Know your data, publish data security guidelines to your staff and ensure these guidelines are enforced, particularly for new starters or when staff members leave your company. (For the latter, ensure you recover the data and restrict access to the appropriate users.)