There seem to be no end of cautionary tales in the media these days. Hackers steal over four million credit card numbers, more hackers steal students’ personal information, electronics come straight from the factory already infected , your swipe card for door access at work and other places can be easily hacked , and even your pacemaker (if you have one) isn’t safe.
It’s like a hail storm of bad technology news. I might move to a deserted island somewhere and give up all my modern conveniences in order to escape to digital mongrel hordes that are after my data.
So what do you do? You take all the precautions you can. You make sure your anti-virus, anti-spyware, anti-malware and anti-spam software are all up-to-date. You make sure your OS is up-to-date. You are careful about what links you click, what emails you open, what programs you install. You make sure your spouse, kids, mom, dad, cousin and aunt are all aware of the same precautions and are taking them.
Sounds tedious. Sounds time consuming. Sounds like a pain in the rumpus. It is. But you’re not done yet. You need to make sure that all the people who have your data do the same: the grocery store, the bank, your online retailers, your doctor, your accountant, your HRIS vendor and pretty much everyone else you do business with.
If you outsource an HRIS needs (like time and attendance, learning management, payroll integration, etc) you need to make sure that vendor is doing all they should. They don’t just have your data… they have the data of every employee in your company and quite possible the data of their dependents, beneficiaries and a whole host of other innocent people.
A company should spend at least 10% of its IT budget on security. All of the things I suggested you do above are the bare minimum they should be doing. Ask to see their security policies, their intrusion response documents, their SAS 70. Ask to see everything. Then ask them how they know all of these policies are being followed.
For me, I believe actions are better than words. Any good company has their employees sign acceptable use policies, claim they use “best practices” around digital security. I like to prove that. How? You can:
1. Hire someone to perform a physical penetration. In the past I have (about every six months) had someone walk into the office, pretend to be a computer technician, a new IT employee, whatever and then work to gain access to computers, networks and other data stores. It’s a great way to keep people on the alert.
2. Pay a company to perform a penetration test against your network (or, if you have staff with the right skills perform it yourself). Do it once a quarter. Things change and you need to make sure you haven’t accidently opened a whole in your digital fortress.
3. Send out monthly security newsletters… it helps keep security on everyone’s mind.
4. Subscribe to security alerts from your anti-virus, anti-spyware and other security software vendors. They generally do a great job of getting in front of new attacks and keeping you aware of the latest schemes.
There will always be new and improved security threats. There’s not much you can do about that. What you can do is be aware, be ready and be on guard for what may be coming your way.
