The news these days is all but overrun with stories of hackers, cyberattacks, cyberterrorism, and the importance of cybersecurity. While concerns about external threats to network security are completely valid (I think Target and its former CEO would vouch for us here), this only makes up one side of the coin; to be truly secure, you have to look at not only how easily outside forces can make their way into your network, but also how easily your sensitive data can make its way from the inside of your network out.
Before you can make any strides towards putting your actual policy together, first you need to:
1. Look at your data. What kind of data do you handle on a day-to-day basis? Financial information? Personally Identifiable Information (PII)? What data is most sensitive? What is least sensitive? If it helps, rank the different kinds on a scale.
2. Determine what is allowed to happen to this data. Can it leave your network? Can it leave your network, but only in encrypted form? Can it not leave your network under any circumstances whatsoever? Are there only certain people in your office who can have access to certain data?
Once you know what boundaries you need to create, the next step is actually putting actionable policy in place to keep your data private.
Ultimately, your policy will dictate what the folks in your organization can and cannot do with your company data. Some of the most important elements to look into are:
1. Internal Permissions. How do you control which people have access to which data? What tools or settings do you need to achieve the proper restrictions?
2. Email. Most PII can only be sent in encrypted form. Do you have the tools in place to send sensitive information securely? Is your staff educated on when and how to use these tools?
3. Remote Access. What data can your people access remotely? Are they able to synchronize it to another device? Do they know the limitations? Are you leaving it to their discretion?
4. Devices. What kind of devices are allowed to tap into your network? Personal? Company-owned only? Is network data only allowed on devices that are encrypted at the hardware level? Will you differentiate between what is allowed on these devices, and what isn’t?
Sure, some aspects of the policy may be a bit burdensome. Sure, some can make collaboration more difficult for your staff. And sure, some may require that you invest in additional tools in order to stick within the boundaries you’ve created.
But we can’t tell you how many times we’ve encountered people who have been separated from a company for years and still have corporate data in their personal Dropbox account.