As more high-profile data-theft stories continue to dominate the news, organisations are increasingly under pressure to have a clear understanding of their data and how it can be accessed.
Despite efforts to stem the flow of breaches, the emphasis needs to be on prevention rather than cure.
Last month, Yale University acknowledged that a recent change by Google to include searches on FTP servers had led to the potential exposure of sensitive personal information affecting more than 43,000 students.
Given that FTP servers are often used to share corporate information more securely, many organisations may find themselves having to manage similar data security issues that are not within their control.
With this in mind, businesses need to have stringent controls for data that is managed both internally and elsewhere. As both insider and external threats continue to rise, below are a few best-practice points to counteract potential breaches.
Separate externalised data It is crucial to ensure that all data published or presented externally (including FTP repositories) meets your organisation's requirements for privacy, security and authenticity. With a number of file transfer methods available, it's important that employees are aware of policies that categorise which data can be externalised.
Understand the implications of social media Data and information can now be exposed through a multitude of social media channels. Organisational policies and checks must be extended to keep up with the various data sources to highlight and plug any potential gaps or vulnerabilities. Social media represents one of the greatest risk scenarios if not managed with care. Organisations are liable for the data that is captured from social media streams, so it is vital to implement policies and restrictions that control what is exposed.
Ensure appropriate security is applied to internal data repositories and stores, particularly those containing personal information Historically, many organisations have responded slowly to data storage requirements or failed to remove duplication of records. Users may have selected tactical storage solutions such as removable media drives, cards and online storage solutions, such as Mesh and Dropbox. Although these solutions can provide effective storage, the data moves outside of your control and must be secured. Understanding, policing and managing encryption on removable and online data repositories enables businesses to blend flexibility with the security needed to safeguard integrity.
Audit your controls Changes made by others (including third parties) may impact on your strategy. Ensure you do not rely on the security policies of others to enforce your data controls. Know your data, publish data security guidelines to your staff and ensure these guidelines are enforced, particularly for new starters or when staff members leave your company. For the latter, ensure you recover the data and restrict access to the appropriate users.
Understand mobile working Businesses are becoming more mobile with their data and it is up to each organisation to ensure they are aware of the risks associated with a change in their working practices. Laptops, memory sticks and external hard drives need to be encrypted and strict controls should be applied to limit access to wireless networks to authorised users only. Clear guidelines on the creation and usage of passwords can help to secure devices that are accessed remotely, for example, via the use of two-factor authentication on your VPN.
Failure to manage sensitive information both inside and outside the office can have severe consequences for an organisation's reputation and profitability. Today, information can be exposed in a variety of ways and it is important that organisations meet the challenge of securing their data.
Matt Lovell is chief technology officer at Lumison