There comes a point in all company life cycles where confidential information must be shared among employees and business partners for companies to grow. Information has to be shared for many reasons, and from my experience as an information security auditor, I see sensitive information being shared with accountants, solicitors, auditors, IT support and of course a company’s own employee base, amongst many others.
This is all well and good if these are trusted third parties that will keep your secrets safe, but with all the best will in the world, even these third parties might become security targets and not know how to keep your information safe.
Information security assurance is not a one-time exercise. You cannot just give a third party (or employee) information and assume they will just keep it safe from then on.
Companies should also keep track of what information third parties might keep, what they do with it, and how they will dispose of it once they have finished with it.
I would recommend that all companies implement the following:
A Data Handling Policy
Set out the ground rules on what third parties and employees can and cannot do with data. This is a powerful legal tool should things ever go wrong, whereas without one a judge in a court might just rule that your company was itself negligent with data by giving it to an entity that subsequently loses it and didn’t realise how sensitive it was.
A clear, concise one pager is more than enough, that defines why information has been shared, what people are allowed to do with it (for example, not to put it in the cloud or an email system) and specifically how they should destroy it once a specific task has been completed.
An Information Asset Register
Sounds easy, does it not? I challenge all of my clients to provide me a list of who has their data, what they are doing with it, and how long they are allowed to keep it. They all struggle, and adoption of cloud based services has made this somewhat trickier.
However, if you do not even know where your data is, then you cannot secure it. So this is a critical control. The data breaches we hear about in the press are so often attributed to third parties, or employees sticking information on thumb drives, whereas all the time senior management think data is safely locked away on an encrypted hard disk in a secure datacentre and play the “these hackers were just too clever and stole our data” card, despite the negligence of their own employees.
Third Party Security Audits
Do not just give third parties data and assume they are safe. Assume they are not, and ensure controls are in place before you give them data. A simple one-page questionnaire is usually more than enough to identify the culprits and take positive, remedial action if information has been put at risk.
You might want to drill down a bit more with riskier third parties, but if you’re starting from nothing, start simple and broad. Then drill down once you are sure you have captured all of your data handling entities.
Employee Security Awareness
Remember in this day and age it is socially acceptable to share compromising pictures on Facebook to the whole world, so why would employees treat sensitive company data any different? It is down to your company to ensure employees up the bar and do not compromise your data.
Regular security awareness campaigns using a variety of different media and one-to-one training are essential if you are to rely on your employees to keep data safe. You might also want to bring in one or two of your third parties and take a collaborative approach.
An Incident Response Procedure
Clearly define in simple terms what to do if information goes missing – one day it will. You will be able to reduce the probability of information loss through implementing the above controls, but where humans and human-programmed systems are involved, information will always go missing, and a prompt, effective response will minimise the impact of any data breach.
Regular reviews of the above
Do not just do it once and forget, as that is exactly what your third parties and employees will do. Keep it fresh, define a review period, and get senior, board-level support to ensure the company takes your efforts seriously.
If you are just starting out, I would recommend quarterly reviews. Once a year, although defined acceptable by standards such as PCI DSS, is too infrequent and too much changes.
Increasing collaboration will always reduce security in an enterprise. The more widespread information is, the more likely things will go wrong. Taking steps to reduce the probability and impact of data loss, through a structured and effective information security programme, is essential if you are looking to increase collaboration and information sharing inside and outside the enterprise.
In fact, the terms of the Data Protection Act demand it, and if you have poor governance then not only will you lose data, you face the risk of fines from the Information Commissioner and the impact of brand damage that goes with it.