Image Source
There once was a time when companies were concerned about letting their employees connect to their corporate network from home. Many articles were written on this topic, discussing the risks and how to create policies that mitigate them. This is something that still hasn’t changed today. In fact, the only real change is that employees are now using their personal laptops, tablets, wearables, and smartphones to make these connections. Experts believe the number of these devices will continue to grow exponentially, which means employees’ personal data will grow more mixed in with the business data on these devices. As an organization, you must take steps to protect everyone who’s involved here.
Determining Your RisksThe first step you must take is to perform a high-level risk evaluation. During this evaluation you should ask:
What types of devices are your employees using (e.g. computing, storage, smart) for work activities? Where are they being used? What security controls are also used there?
How many of the devices are owned by the business and how many are owned by its employees? How can information be removed from employee-owned devices? (This is especially important when employees no longer work for your business.)
What devices are your business using to collect some type of data?
What types of devices are being used to store information for your business?
What mobile apps are being used? Once you know this: What information are they collecting? Who’s this information shared with? Who has access to all your business’ data?
What type of training and awareness have you set up for your employees? Are there any confidentiality contracts in place?
Once you’ve made your way through this list, you’ll want to go even deeper in search of any risks or gaps there.
Create and Document Security and Privacy Policies and ProceduresWith knowledge of your risks at hand, it’s time to establish documented security and privacy policies so you can mitigate the risks you’ve identified to an acceptable level. By giving your employees rules about all the different types of technology they use, you’ll have a major impact on your business ― in a positive way. However, you must go beyond creating policies to also document procedures.
One thing you must remember here is that if your policies and procedures aren’t documented, you can’t expect employees to know they exist. This is why you must take some time to write down the following types of policies and procedures:
Non-disclosure and confidentiality agreements should be signed by every employee when they start working for you.
Processes regarding how you’ll get data from all your employees’ computing devices once they no longer work for your company. This should include reviewing with them how they’re under a legal obligation not to use the data for other purposes and what they should do with any information they had access to while working for your company. Reviewing the legal ramifications of all these things with them before the end of their last day working for you can save everyone a lot of time and trouble in the future.
Information about what types of technology employees are and are not permitted to use while at work.
Policies regarding where business information (e.g. information about customers, employees, patients; personal information) can and can’t be posted, shared, stored, etc.
Requirements outlining how employees who use their own devices in unlimited locations should be trained to protect everyone’s security and privacy.
Identify Tools to Support the Policies and ProceduresUsing network security threat tools will help you make sure your firewall is working well to prevent any possible malware. There are many different tools you can choose to use for this purpose. They include:
Encryption for all types of data, including that which is at rest, that which is in transit, and that which you’re collecting
Data logging tools are used for tracking data that your business needs about your business, customers, employees, and patients
Remote tools that can wipe data off devices that ex-employees have used or that were lost or stolen
Firewalls and anti-malware tools for all the devices your business uses
Performing periodic privacy impact assessment (PIAs), risk assessments and audits
Train Employees to Meet Your RequirementsUnless you’re willing to take the time to make the effort to train your employees what to do, they won’t know what you expect of them. Not just any training will do. It must be effective, which means it must be more than simply handing them a document.
Send Occasional Reminders to Continue Encouraging AwarenessAs time passes after training, employees will start thinking less and less about how to secure your customers’ information and protect their privacy. This is why you must continually and frequently remind your employees about taking steps to protect your customers .
Always Monitor ComplianceCreating rules for using computing devices and managing business data isn’t enough. You must also make sure that the rules you’ve put in place are effective. Putting the rules out there, then assume that they’ve been followed never works because there will always be some people who don’t understand, notice, or choose to follow the rules. You’ll also have some people who will forget about them or make mistakes. Any of these happenstances will result in incidents and breaches of your business’ information. To prevent this from getting out of hand, you must monitor how effective your policies and procedures are throughout your business.
ConclusionAs a business owner, it’s up to you to keep up-to-date with what the current and emerging risks are in your industry. You must also pay attention to all the trends that exist around the public use of technology and computing devices. Knowledge is only the first step, though. From there you must also make sure you create and document rules about using this technology. Taking this a step even further: Make sure these rules are being followed by every employee in your organization. While all this will take time, it’s well worth your effort to keep your customers safe so they can continue trusting your business for many years to come.
