Digital security: Don’t leave the key under the mat
There’s no magic bullet when it comes to protecting your data, it’s about finding the right balance between security and convenience. You should view security more as a risk to be managed than a problem to be solved.
It would be really convenient to leave your house keys in the front door so they’re always there when you need them, but the security risk is just too great. At the other end of the spectrum, it would be safer to lock your house keys in a vault at night rather than leaving them on the kitchen bench, but that’s just too much of an inconvenience.
Apart from the hassle, vaults are expensive and locking away your house keys obviously doesn’t guarantee you’ll never be burgled.
You obviously need to choose the right level of security for your home to address the likelihood and potential consequences of uninvited guests. The same goes for your precious data.
The risk scenarios involving your family photos are very different to those involving your business records. If you’re dealing with sensitive customer data, particularly financial details, then this adds a new layer of risks and consequences.
If you operate in the financial sector there are clear rules about handling data with which you should be familiar. The Australian Prudential Regulation Authority (APRA) is a good place to start.
Of course you don’t need to be a bank to require data security and every business would have some documents that it wouldn’t want to fall into the wrong hands. Your industry association is usually a good source of information for data security advice relevant to your circumstances.
Government resources such as business.gov.au and staysmartonline.gov.au can also make a good starting point.
It’s easy to make kneejerk security decisions, especially if you’ve experienced a security incident, but the key to managing security as with any IT project is to start by assessing your requirements.
If your house was burgled tonight you wouldn’t rush out tomorrow and put bars on all the windows, especially if the thieves broke down the back door rather than smashing a window.
That might sound like commonsense, but it’s exactly the kind of expensive and ineffective digital security mistake you can make if you rush into a security overhaul.
You need to play devil’s advocate as part of a risk assessment. What are the greatest digital security threats to your organisation? Where are you most vulnerable? Where are the single points of failure, the easiest ways to cripple the business?
Once you’ve identified and assessed the threats, both large and small, you need to weigh up the risks. What’s the likelihood of these vulnerabilities being exploited? What are the potential consequences? Are you focusing all your efforts on firewalls and antivirus, but leaving the office back door unlocked and passwords written on post-it notes for any late-night intruder to find?
This security conversation should involve key staff members and the providers/maintainers of your IT systems, which may well be outsiders if you’re a small business. You need good answers to all these questions before you decide on a solution or implement anything.
The best solutions tend to involve layers of security and once you understand the risks you’ll be able to evaluate how much time, effort and money you should allocate to addressing them. You also need to regularly reassess your risks and countermeasures.
Keep in mind that digital security is only one area of risk and it’s important to do a full business risk analysis to weigh up all the potential threats to your business. When considering the risk scenarios for your data, you need to think about local, mobile and online threats.
If you’ve spread sensitive data across multiple computers, network drives and removable storage then the process of managing and securing that data becomes far more complicated. If some of those devices regularly walk out the front door then you’ve got a new range of security concerns to address, catering for damage, loss and theft.
You might backup your data to protect against loss, but once you’re storing backup copies elsewhere then your security concerns multiply.
Offering appropriate staff secure access to a central point might be a more manageable way to work with sensitive data than spreading it around the organisation. If that data is online then you need to consider who requires access to it and whether you need to implement extra security precautions such as two-factor login authentication.
You’ll also want to think about data encryption and who will manage those encryption keys. Some business-grade online storage services let you specify your own encryption key, so even they can’t read your data. The trade-off is that if you lose that encryption key then your data is lost forever.
You’ll also need to keep a secure offline backup of your sensitive online data in case the cloud lets you down.
There’s no one-size-fits-all digital security system and making bad choices can actually make things worse by giving you a false sense of security. Rather than jumping at shadows, start by shining a little light on the situation and assessing the biggest risks to your business.