Corporate security: A business, ethical and legal requirement
William Ho, president, Biscom
Since the emergence of the written word, leaders and other information keepers have gone to great lengths to ensure that confidential information does not get into the wrong hands. Militaries have been using encryption for thousands of years, and wax seals have been used to authenticate senders and ensure that messages were not compromised.
Confidential data is the life-blood to not only governments and militaries, but also to modern businesses. Every day, volumes of healthcare information, intellectual property, legal documents, contracts, financial spreadsheets, corporate agreements, and human resources documents pass from one entity to another. The vast majority of that data is stored, transferred, and accessed through electronic media, and the repercussions of that information getting into the wrong hands can have devastating consequences to both businesses and individuals. Protecting confidential information today is not only a business and ethical requirement, but quite often a legal requirement.
Today’s businesses need to take a two-pronged approach to control the security of their information. The first step is to institute administrative security measures, and the second is to back them up with logical and physical controls. It is critical to educate and train people on the types of data they will encounter and to institute policies that define the proper processes for inspecting, using, disclosing, modifying, and eventually destroying sensitive data. For some industries, data security policies are mandated by state or federal law such as the Health Insurance Portability and Accountability Act (HIPAA) which protects the privacy of individually identifiable health information or the Gramm-Leach-Bliley Act (GLBA) which requires financial institutions to explain their information-sharing policies to customers and to safeguard sensitive data.
Fortunately technology for information security has evolved and can help organizations ensure data confidentiality, authenticity, and availability. When evaluating technology to help you meet today’s security standards, keep the following points in mind. Email is not a secure method for delivering electronic information. Secure file transfer (SFT) solutions are a better option than email, are easy-to-use, and keep track of who receives what information. When selecting an SFT system, make sure that it automatically encrypts information both in-transit and at-rest. Fax is also a common method for sending confidential information – but today’s fax systems often never use paper and don’t involve actual fax machines – faxes can simply be electronic documents that still need the proper security to make sure they’re encrypted and routed properly. If you’re going to use physical media, such as DVDs and USB drives that contain confidential information, it should be encrypted first. Networks and file servers also need to be locked down and protected, and sometimes that protection is not just from external malicious attacks. Data breaches can occur internally, so access control is important. Make certain that your processes and technology have controls in place to ensure that sensitive information is not distributed or accessed improperly whether internally or externally.
To get a handle on the information flow in and out of your organization, look at what information your critical business groups and knowledge workers use and how it should be classified. Many firms do not have explicit information use policies – establishing those, and also making sure everyone in the organization is trained properly is mandatory – we all know the weakest link is where a chain will break and this applies to your users. Look at the tools and processes you have in place to handle the flow, storage, and access of sensitive information. There are many point solutions that provide specific protection for you, but information management and security need to take a holistic approach. Choosing the tools to keep information confidential may no longer be as simple as ciphers and wax seals, and with so many choices today, it’s not always clear which solutions will work best for you – invest in up front analysis and you’ll have much more success choosing solutions to help you manage your information systems.