Sounds like a line from a commercial, but really applies to what’s going on around data and document security today. A lot of organizations are looking hard at the security of their information. Everyday you read about another data breach by hacking, an insider stealing something or someone accidentally sending the wrong information to the wrong person.
The immediate reaction to these events is to throw technology at it. My firewall must not be good enough. I need an intrusion detection system. I need better virus protection. I have to lock down people’s desktops so there is no chance they will do anything wrong.
While technology is a key component of safeguarding information, technology alone will NOT protect your organization. You need to take a broader view of how your organization operates. Think about the processes and procedures you follow. I always think about an alarm system in my house or car. The alarm is a great piece of technology. If someone breaks into my house, an alarm sounds and the system alerts the police. But I have to follow a procedure to make it work. If I leave my house without setting the alarm, the technology is useless.
People and processes are the other two keys to establishing control over your information. You need to focus on the systematic processes and human factors that are unique to your organization. Part of that is understanding what currently exists and what you want to achieve. It also involves understanding the risks of doing or not doing something.
Take a doctor’s office, for example. They need to make sure that a patient’s records are held in confidence. They also need to care for their patients. The last time I went to the doctors I had to sign in at a desk and give someone my personal information. She entered the data into the computer and asked me for some identification to prove who I was. I presented my ID, she took a scan of it and I signed the form on an electronic pad. She then printed what I signed with the scanned ID for my records. My information is stored securely in a system that only certain people can access. The whole process took about 2 minutes.
Let’s review what happened. The doctor needs to verify who I am before he will treat me. He also needs my permission (the signed form) to release some of my personal information to the lab for some blood work. Only the doctor and nurses can see my medical information. The front office staff only has access to my name, address, phone number, etc. The office has a simple process in place to protect themselves and my information. Everyone is trained and follows these processes quickly and effectively. The result is that my information is protected and the doctor can get on with caring for me.
Building a culture of compliance is important for the doctor and for any business. Everyone from the doctor, to the nurses, to all the staff understand that protecting patient information is critical to their business. The risk of not doing so could result in fines, lawsuits and the ultimate ruin of the business. They understand what information needs protection and they have built a culture that understands how to do it. They took the time to look at their business, determine their goals, understand the risks and decide on a plan of action. They use technology to facilitate things, but without creating simple processes and training people on how to execute them, they wouldn’t be successful.
Doing the right thing isn’t onerous, it’s just good business.
Photo credit sergis blog