Think about your worst nightmare. Someone steals confidential information about your customers or company and that information is all over the Internet. You lose all credibility and your business suffers. You pay stiff financial penalties and you face lawsuits from government regulators and your customers. If you are a public company, you face shareholder lawsuits.
This situation is becoming more commonplace as hackers and other criminals exploit weak human and technology systems to gain access to your most important business information. In the last few months there have been a number of large data breaches that caused big problems for the victims.
The Canadian province of Ontario recently lost two USB drives containing unencrypted personal data on over 2.4 million voters. In June 2012 the Public Employees Retirement Association of New Mexico suffered a breach when the laptop of an outside auditor was stolen with about 100,000 names, addresses, financial institution routing numbers, account types, and account numbers.
Nvidia, Yahoo and Formspring had their systems hacked and email addresses, passwords and other confidential information was stolen and put onto Internet forums and hacker websites. Between these three companies, over 1.2 million customers were affected. Add to that recent intrusions at LinkedIn and others and the number start approaching 10 million users.
In the cases of Nvidia, Yahoo, LinkedIn and Formspring, the critical information was sitting in a database. Most organizations encrypt sensitive data, like passwords, when stored in a database. Unfortunately these companies used simple, easy to crack hashing algorithms on their data. That’s like putting a “Please Do Not Enter” sign as the only lock on your door. These are outdated methods of protecting data and the companies should have used more complex algorithms.
Most other confidential and sensitive information is in documents. The two public agencies that had documents stolen did not encrypt them and left themselves open to theft and major trouble. All organizations need to determine what is sensitive and where it exists. Then determine who has access to that information. The last step is to encrypt these documents with a persistent security policy that controls who can access the content and what they can do with it.
At a minimum, you should encrypt documents with personal information, such as customer and employee name, password, email, street address, phone number, social security number, birth date and financial information. Next is anything critical to your business, such as budgets, strategic plans, product designs, software code, proprietary processes and algorithms. Think about the secret formula for Coke or the search algorithms for Google. If it’s unique to your business and important, protect it.
Encrypting documents with a persistent security policy is not complicated and is the best way to protect information that is critical to your business. If an unauthorized person gets your document, it’s useless to them, since they can’t read the information inside without your express permission.
Give yourself some piece of mind by encrypting the information that is most critical to your business. You will prevent a data breach, protect your company and sleep better at night.
Photo credit aaronparecki