Are you running yourself ragged trying to keep unauthorized users out of your data, not realizing that your biggest threat are your own employees?  Employees often are the single greatest threat to an organization's data security, whether accidental or intentional.  But with the right approach, you can help manage the risk of malicious or unintentional acts. 

An employee may think they are doing a harmless task by emailing attachments to clients but instead they could unintentionally be spreading the attachments to a malicious individual who could post it for the world to see. One way to secure your company data is to label data with classifications. Some common labels are Public, Internal, Restricted and Restricted Confidential.  Once your classifications are established, only allow your employees to read or write on the levels for which they are classified.

Are your laptops secure?  Would you still answer "yes" if I rephrased the question and asked, "if one of your employees leaves their laptop at the airport, is your data secure?".  It could be if necessary precautions are taken.  A free solution would be to keep all sensitive information on your company network and only have what you need for that day's work saved on the laptop itself.  The downside is that this solution would not work if an expert thief had gotten a hold of the laptop because deleting files off of your computer only deletes the pointers.  Documents can still be retrieved with sophisticated software. As users, employees have to be aware that they should only collect enough sensitive data to do their job.  Extra data means more could potentially be stolen.  

Another relatively cheap, or free, solution would be using BIOS passwords on laptops.  This too, has its downfalls as BIOS passwords can be broken by educated thieves, but passwords will keep the vast majority of thieves out.

A better solution would be to use full disk encryption in conjunction with both implementing BIOS passwords and keeping as little sensitive data on the laptop as possible.  This would allow the whole disk to be encrypted, meaning it would be unreadable to all except for the authorized user.  This is by far the best solution to protect a lost laptop. There are some advanced disk encryption products out there that would allow you to sleep soundly, even in the rare event that a laptop would be misplaced.

Here's another question for you: Is your firm using USB drives?  These drives are a very efficient method of transferring data.  They can also cause big problems for an organization.  An employee could very easily lose a USB device, and a thief could easily walk away with your data.  An easy way to secure these devices is, again, to use encryption.  Encryption can easily be added to any USB drive.

The most import aspect of data security is employee awareness.  Employees should be required to attend a Security Awareness Training once a year.  It is also very important for employees to see management attending these trainings as it establishes tone at the top.  Whether it is an email that is captured by a competitor, or a piece of paper in the dumpster that is picked up by someone selling information on the internet, the majority of these instances can be summed up as carelessness and could easily have been prevented. You can save your company millions of dollars and a lot of bad press by simply making your company aware of potential risks.

For more information on keeping your company's data secure, contact Dave Hammarberg, CPA, MCSE, CITP, CFE, CISA, Consulting Manager with McKonly & Asbury at dhammarberg@macpas.com or by phone at 717.761.7910.