Now more than ever, information is the lifeblood of any business, and its for good reason this period is known as “The Information Age!” But when last did you give any thought to how information is gathered, stored, and protected in your business? For some time now, I have been advising readers to take steps to secure their data and to prepare themselves for a disaster scenario.
On reflection however, I am reminded of a conversation a fellow IT professional and I were having with a businessman on a street corner in the Federation about five years ago when the issue of data security was raised. My colleague asked if businesses took data security seriously and if employers made use of firewalls, encryption, etc. The businessman was very animated as he admonished us, “Data security! Data security! Man, we barely have confidentiality and you want to talk about data security!” The point was well made! But where do you start?
An effective audit and implementation of an IT Policy, or simply an Information Policy, Confidentiality Clause, or Agreement are good places to start. One should also keep one key fact in mind, most security breaches (or lapses) originate internally, and not through hackers or external sources.
Treat information like any other business asset or resource; you don’t give the messenger or receptionist a corner office, so why should they have access to potentially sensitive information?
Its bizarre how many times you might call an organisation asking for Mary, only to be told “she stepped out,” with no indication of when to expect a return call from Mary, when to call back, or even if Mary will be back for the day. Yet the same person answering the phone will volunteer the information that “Mary is off island,” without even asking for your name or your reason for calling. This too is information that should be held as confidential or secure.
Information should be treated on “a need to know basis,” so therefore ask yourself whether this person or group need access to particular information to effectively discharge their duty? Information is not confined to e-mail and computer systems such as accounting and database information, but includes letters, faxes, and other printed material and therefore should not to be left in plain sight of those visiting your office. Adopting a clear desk policy would be a good start and should extend to your computer desktop.
I won’t ask you to entertain something as dramatic as a hacker, or the loss or theft of your laptop or desktop computer, but consider something as mundane as an outside technician accessing your PC to do some work. What information might he or she gather from files on your desktop? The key to introducing any policy is to get the buy-in of those who have to follow it. Some might resist and see it as an affront or suggestion of a lack of trust, particularly if access has been revoked or denied them to some information. However, a policy protects them too, and this should be pointed out.
The essential point to remember is that if key information is not available to the right people at the right time, business could be lost.There are resources on the internet that will help you draw up a policy; however, implementing one is another matter entirely and consideration should be given to engaging the services of a professional to assist you in developing a policy that is right for your situation.