The Simple Secret That’s Essential to Cybersecurity
February 2, 2015,
by Deb Ilic, Barker Gilmore
As soon as you start storing information electronically, the risk to your company increases exponentially. That’s why cybersecurity has become such a hot topic in recent years.
But sometimes, we risk overcomplicating it. Yes, there are a lot of unknowns, some of which are outside our control. Yet at its core is something simple that most companies are missing: information management.
Good management of digital records isn’t fundamentally different from managing records the old-fashioned way. It just becomes even more essential when you have so many personal records with the potential to be shared with millions in an instant.
Fortunately there are experts to help us navigate this emerging area of compliance and risk management. To find out what challenges companies have in managing digital records and what they can do, we spoke with Iron Mountain Director and Senior Counsel Michael Zurcher. Iron Mountain is a storage and information management company that helps more than 150,000 companies across the world maintain and protect their data.
Companies increasingly come to Iron Mountain because they’re being asked to do more with fewer resources and have a difficult time getting a grasp on the sheer volume of data, he said. We all know this feeling of being overwhelmed, paralyzed, not knowing where to start. However, when you break information management into smaller steps, you’re more likely to put it into practice.
Here’s what Zurcher suggests.
Assess Your Company’s Records
Find out what information you have, where it’s located and what format it’s in. It’s also important to consider all the information that’s being shared across your organization in the form of attachments.
Are you applying metatags to your digital assets so it’s clear what they contain? You may also want to have your employees use macro-tags associated with their role in the organization and the files they’re creating. Tagging your information makes it easier to take stock of what you have on file and will also help you respond more quickly to regulatory requests.
A unified digital management platform makes this much easier, allowing you to further classify information with drop-down menu items so employees can easily distinguish between internal and external documents.
Do you know which employees have access to certain records, particularly if they contain sensitive information? Does your company have protections in place to prevent that data from being copied onto a flash drive or a way to identify who has copied it? Are there written procedures for ensuring employees who leave the company no longer have access to the information?
“It’s very easy to give someone access,” Zurcher said. “It’s more challenging to revoke that access after someone has left the company or has taken on a new role.”
When there’s a process to follow, however, managing access is a simple matter of doing due diligence.
Develop a Data Schedule
Considering all the types of data you have, how long do you need to keep record of it?
“What we find is no one really has the time and resources to delete data,” Zurcher said. “But one of the key privacy principles is you should only keep data for as long as you need it. Having more data than you need increases the risk that the data will be mismanaged.”
Your company should develop a schedule of all assets and determine when it’s reasonable to delete them.
If you don’t have expertise in this area, work with a records management professional who can advise you on the requirements for data storage and how to properly delete files you no longer need.
Evaluate Your Plan
At least once a year, take the time to evaluate your company’s data management needs. Ask yourself:
- Are your storage methods still sufficient?
- How well are you managing access to digital records?
- Have you had any incidents of lost or stolen equipment that put your data at risk?
- Did you experience any unauthorized release or use of data?
- If your company has a BYOD (bring your own device) policy, are you taking the appropriate precautions, such as requiring all devices to be password-protected and all sensitive data encrypted?
- Which vendors have access to what data, and do they have the appropriate safeguards?
- Do I know IT’s and my business partners’ plans and goals for the next year(s)?
- How meaningful and effective are our trainings?
Good data management is often overlooked in discussions of the latest virus or denial-of-service attack. It doesn’t often make headlines. But it’s the foundation of any strong cybersecurity program.
For more best practices from Zurcher and other cybersecurity and compliance professionals, read our guide, “Cybersecurity: 4 Best Practices From the Pros.”
About the Authour
Deb Ilic is managing director at BarkerGilmore, a legal recruiting firm that specializes in hiring in-house counsel and compliance officers. For more information, visit the BarkerGilmore website at barkergilmore.com.