Data Security in Your Workplace
Data. Arguably the most valuable commodity on earth and easily one of the highest risk. Let’s talk data security.
The Data Security Problem
Large numbers of our modern-day workforce are equipped with laptops as the primary method for getting work done. There are essentially armies with portable vulnerabilities loose everywhere. Not to mention how stunningly simple it is for well-meaning employees to compromise data during what seems like routine use of their device. From using unencrypted USB drives to connecting to unsecured public internet, there are myriad moments where your defenses are weak and it happens across the spectrum. From governments to popular retailers to healthcare companies, failure to defend sensitive information adequately is becoming both staggeringly expensive and challenging to completely prevent.
What Sensitive Data?
There’s obvious stuff. You don’t want anyone getting your recipe for the secret sauce. But let’s talk about PPI. PPI, or Personal Identity Information, is a person’s first name (or initial), last name, and one of any of the following:
- Social security number
- Driver’s License or ID card number
- Any account numbers, payment info or security question responses
- Medical information
- Health insurance information
If you have client information of these types on your laptop, you’re carrying around massive liability. These are the things you can get in serious trouble for if the information is compromised.
Like Handling Hot Potatoes
The security problem is even more precarious when companies use the BYOD (Bring Your Own Device) model for provisioning their teams.
The statistics for security breach with BYOD model are much higher than company owned fleets, for a number of reasons. It’s challenging to take strong enough security measures when you’re dealing with an employee’s own device. For example, they may encrypt their machine and have strong password protocol for accessing a VM or company servers and databases, but route their email to a local client (a common practice). Not to poke at a sore subject, but if we’ve learned anything from Hillary, it’s this: Email is the rogue player in the security risk game.
There’s plenty of people on your team who don’t think twice about sending emails containing piles of lawsuit-provoking PPI. You can be sure that some of your own people are walking around with their email on a local client, or with a saved password for web-based email. Suddenly, major data theft is as simple as a poorly attended laptop case. And, since you’re not dealing with corporate-provided machines, you have no back-end device control, like your IT staff being able to remotely wipe a machine. Nor can you prevent people from installing add-ons and apps onto their computers, which often request access to things like contacts and email – massive back-door security threats to sensitive information in the innocuous guise of a harmless game or productivity app.
Of course, this doesn’t even touch upon the headaches faced when these machines reach end-of-life. Treasure troves of data just sitting in outbound machines that need to be dealt with; where do you even start?
In short, this is not a simple problem to fix. Between hackers and malware, theft and negligence, there are many moving parts to shoring up corporate liability on the data security front. But a good start is to understand just how many chinks in the armor there might be. It’s worth taking a fresh look, because who knows; some of your laptops may be host to vulnerabilities that put your company in that funny “So subtle, but so obvious” zone that got Hillary in so much trouble.