There’s a great article in the Wall Street Journal about whether companies should allow employees to use consumer file sharing services like Dropbox. Two analysts – Ted Schadler from Forrester Research and Larry Ponemon from the Ponemon Institute share their somewhat opposing views on this. The bottom line, however, is that employees are sharing more information with their colleagues, clients, customers, and other third parties (files, documents, information) to get their jobs done, and that need is only increasing over time. So, either give them the tools to let them share securely or run the risk of your data escaping into the wild, because if you don’t they’ll find another way to share that information and it most likely will not be secure.
Some of the more sobering statistics they discuss are how 90% of companies polled have experienced a loss of a sensitive or confidential document in the last 12 months. Or that 37% of employees have used cloud services like Dropbox to transfer confidential documents without obtaining consent from their employers. And the worst part was that only 32% of organizations polled actually took any steps to ensure employees knew how to share confidential information securely.
At an average of $200 per customer record breached, this is not inconsequential for large breaches, but I think the bigger problem is having to face your customers or clients and tell them that you screwed up. It’s hard to recover from a tarnished reputation.
What are things you can do? Well, here are a few steps you can take:
- Perform an assessment of the type of information your employees need to share – what kind of files and data – how sensitive is it? What would happen if that information somehow got into the hands of someone else?
- Look at your IT infrastructure and see what you have available. Common tools are email, FTP, and of course you can always overnight a USB stick, hard drive, or even printed documents. None of these methods is secure – you need to look at solutions that can encrypt as well as track the information as it makes its way to the ultimate recipient. Understand the limitiations of your existing document and message delivery systems.
- Set firm corporate policies on what information is considered confidential and how it should be protected. I think this is very often overlooked and can certainly cause an unwanted breach through lack of knowledge.
- Invest in tools and solutions that help you lock down your information. This spans several areas of your IT infrastructure, and runs from firewalls, anti-virus/malware protection, data loss prevention (DLP), and secure file trasfer.
- Make sure whatever solution you buy is easy to use for your end users – an overly complex solution can drive people back to using the unsecure sharing tools that can cause you grief.