A lot of us worry about confidential information leaking out to competitors, bloggers, news organizations or the general public. Some go to extraordinary lengths to lock down everything, but that can prevent legitimate business. Others take the time to determine what is sensitive and do their best to prevent malicious disclosure.
If you work in a department that has to legitimately use someone’s social security number, you can put technology in place to prevent disclosing it to unauthorized people. You can encrypt it in a database, use data loss prevention to make sure it doesn’t go out through email, and even watch people’s keystrokes if you want to get severe. Technology is important, but a lot of it comes down to trusting the people in your organization. If you don’t trust them, no amount of technology can stop everything.
A great example was a few years ago when a temporary employee in Milwaukee County’s human resources department was charged with stealing the personal information of more than 30 current and retired county employees. As part of her job, she had access to social security numbers, phone numbers, addresses, birth dates, you name it. That’s normal since she was in an HR department.
How did she steal the information? She used an old fashioned pen and paper. She pulled up the information on a computer screen and jotted it down on a notepad. She put the paper in her pocket and walked out the door.
Did Milwaukee County trust this employee? Do you trust yours? How do you find out if you have someone trustworthy? Nobody wants a locked down workplace where everything is monitored and you are frisked every time you walk in or out of the building. So how do you stop all possible data breaches?
You can’t. Just like there is no way I can prevent a sophisticated criminal from breaking into my house, I can’t deter all data breaches. I lock my front door to prevent most people from getting in, but if James Bond wants to get in, he will get in.
I can put processes and technology into place that discourages and stops most of the data leaks. This starts with defining what is sensitive and should remain confidential. Personally Identifiable Information (PII) is always confidential. Your latest product announcement is not once it hits the news wires. Since most information sits in databases (including email) and documents, you can start by locking them down. Make sure your databases are encrypted. Make sure that information downloaded from databases into documents is encrypted. Make sure any document with PII or other confidential information is encrypted. Put a persistent security policy on your documents so you can control who can access them and what they can do with them. Remember that a picture, a Microsoft Word file, a video and a voicemail are all containers of information – they are documents.
Your processes should start with hiring the right people and letting them know what you expect of them; that includes training them on proper handling of sensitive information. Investigating a person’s work history and background is easy today with a simple Google search. It might sound silly, but having content employees is half the battle. If employees feel like they are valued and part of a team, it goes a long way toward a more secure work place. If my employer trusts me, I will return that trust. If my contributions are valued, then I feel that hurting the company by exposing confidential information hurts me. And all of us are into self preservation.
I know this doesn’t always work, but it’s a good start. Just like with the lock on my front door, it can’t stop everything. Hire good people, keep them engaged, tell them what you expect of them and train them on computer, data and document security. Add data and document encryption with a persistent security policy and you will stop most of your problems.
Photo credit Wallula Junction