Sony. Home Depot. J.P.Morgan. eBay. Target.
What do these five companies have in common? They were all victims of massive data breaches between December 2013 and November 2014. Over 440 million total records were compromised including proprietary information, employee details, credit card numbers, login credentials, physical addresses, and email addresses. In fact, according to Bloomberg, there have been over 75 data breaches reported with over 1,000,000 compromised records each since 2005. The breaches have affected such diverse industries as retail, financial, technology, government, and healthcare.
Due to this recent dramatic increase in corporate hacker activity, information security is being forced to evolve. Gone are the days of information security being a dedicated IT project. Today, it must become the core of many of your business decisions. But this necessity raises a question: how do you protect your enterprise’s confidential and proprietary data from being compromised? Keep reading to learn the best way to safeguard your company’s sensitive information.
1. Identify & Prioritize Information That Is Confidential
Like any large corporation, your company has a profusion of information that must be assessed for confidentiality. This can be a daunting task and should begin by categorizing different types of information by level of confidentiality. This can facilitate the prioritization of data security.
Once your confidential information has been identified and prioritized, the easiest place to start is generally customer information systems and/or employee record systems. These systems represent finite and easily quantifiable data that needs to be protected like social security numbers, credit card numbers, and other types of structured data; and the information is generally only accessed by a few specific systems. Your next step is to secure less structured information like correspondence and contracts. This is generally done on a departmental level.
2. Study Your Current Information Flows and Assess the Risks
In today’s world of corporate data breaches, it’s not enough to review your current procedures and policies regarding the flow of confidential information. Instead, it is critical to study how confidential information actually flows within your organization. Determining the flow of information is relatively straightforward, but you also need to identify leakage risks with a more in-depth look at how confidential information moves within your organization. Begin by answering these questions:
- How is confidential information entered, processed, modified, and distributed?
- Who has access to this information and when?
- What is the chain of events associated with accessing the information?
- Does actual behavior adhere to stated policies and procedures?
Utilizing these questions when looking at how confidential information flows within your company will allow you to identify vulnerabilities in your company’s handling of this sensitive information.
3. Create Appropriate Policies for Information Access, Usage, and Distribution
Your assessment of information flow and the associated risks can greatly aid your company in crafting new policies relating to confidential information. Your new policies should be designed to govern who can receive, access, use, or distribute various types of confidential information. They should also determine when that data can be accessed by different members of your team. Remember that employee records, intellectual property, executive communications, and customer information will probably require different policies and procedures.
4. Implement, Monitor, and Enforce Your New Policies
After determining what your new policies will be, you need to properly implement, monitor and enforce them. Creating the best policies in the world won’t amount to much if you don’t monitor and enforce their use. The implementation of these policies will necessitate control points to monitor the access and usage of confidential information. The use of an Identity and Access Management (IAM) Solution can help to simplify this process. Using these systems, you can centralize visibility and control and implement core identity compliance controls and user lifecycle processes, allowing you to actively measure and monitor risk associated with different users and resources.
Unfortunately, this is not a “set it and forget it” process. Hackers are relentless in figuring out new ways to thwart corporations’ security, so you have to reassess your company’s risks and vulnerabilities on a fairly regular basis. Creating new security procedures won’t do you much good if you’re not actively trying to improve them to meet new threats and vulnerabilities. Creating a secure environment for confidential and proprietary information within your organization is not a single event; it’s an ongoing process.
Sources: http://www.bloomberg.com/graphics/2014-data-breaches/ http://www.computerworld.com/article/2563307/security0/five-steps-your-company-can-take-to-keep-information-private.html http://www.gartner.com/technology/topics/information-security.jsp