Obviously, information security and risk management are critical issues for any organization, regardless of its size or the industry in which it participates. But maintaining the security of your information and others’ information that you possess, as well as mitigating the risk associated with data breaches, is difficult and getting tougher all the time. This is particularly true in an era in which employees and contractors increasingly use their personal devices and applications to create and store corporate content.
There are some important questions about your organization’s information security status and practices that you should be asking – and that you should be able to answer quickly:
- Do you know how many users in your organization have installed and are using Dropbox, Microsoft OneDrive, Google Drive or a similar solution to store work-related documents? If so, do you know what data they are storing there? If so, does your corporate IT department have ready access to this content if, for example, an employee leaves the company?
- Are some of your employees sexually harassing other employees or sharing ethnic jokes through the corporate email system, instant messaging or social media? If so, can you readily identify these people in real time or near real time and take appropriate steps to ensure that it stops immediately?
- Are any of your employees sending sensitive or confidential information to your competitors?
- When the corporate email system goes down, do your employees use their personal Webmail accounts to continue sending work-related emails? If so, are these emails and their content easily recoverable by your IT department so that they can be scanned and archived in compliance with corporate policies?
- When employees leave the company, is there a formal and reliable process for decommissioning their access to corporate resources, including their access to personally managed repositories that store corporate content?
- Do ex-employees still have access to your corporate systems and/or data assets?
- Do users employ very strong passwords to access corporate resources? Do they change them periodically? Are corporate passwords managed by IT?
- When users need to send files that are larger than can be sent by your corporate email system, do they use a corporate-managed solution to do this?
- Do users encrypt emails when necessary, such as when sending customers’ personal financial information or employees’ protected health information?
- Have employees received formal training about protecting themselves and the organization from phishing or spearphishing attacks? If so are they tested periodically to determine if the training has been effective?
- Is your organization archiving business records to satisfy eDiscovery, regulatory or other obligations? If so, are you archiving them in email only, or in every venue they might be found, such as instant messaging, social media, Dropbox, Salesforce Chatter, etc.?
- Is the content from employee’s smartphones and tablets – whether company or personally owned – archived on a continuous basis?
These questions are the just the tip of the iceberg with respect to the types of questions you need to be asking – and that you should be able to answer quickly and accurately.