By Dr. Guy Bunker @guybunker
In the article “3 ways you can prevent your employees from leaking data” the advice is good:
- Implement a policy
- Train and educate employees
- Utilise a technology solution
But... it’s probably a little too high level and not informative enough to be of practical use, especially as the 2nd suggestion ‘Train and educate employees’ is light and slightly out of date, since:
- Many organisations will be thinking about the implications from the [proposed] new European General Data Protection Regulation, which will increase the financial penalties to 5% worldwide revenues or €100 million.
- In addition, Gartner has accepted that GRC has matured beyond foundational solutions, such as enterprise and IT GRC platforms, to focus more on purpose-built applications that can easily integrate with the GRC systems of record1.
- Organisations that are determined to implement a BYOD/COPE strategy should ensure that before the implications of GRC are assessed they should ensure that BYOD eligibility should be limited to only those devices that can be verified to meet all specific regulatory and internal security requirements2 .
Read on, for the first of the three stages of advice – each broken into five simple steps - which you could implement today.
1 Hype Cycle for Governance, Risk and Compliance Technologies, 2014, July 2014 G00263380, John A. Wheeler
2 BYOD Will Fail to Meet Expectations, August 2014 G00263145, Kevin Knox | Bryan Taylor
1. Implement a policy
A policy? Unfortunately as with most things to do with security, it will take more than one – there is no silver bullet. Here are some you might want to consider (over and above those you hopefully already have):
- Acceptable usage policy – part 1: This should cover things like use of the web and email, however it should now cover things like social media and cloud collaboration applications.
- Acceptable usage policy – part 2: This needs to cover use and communication of information. It will need to cover items which are confidential and private (such as HR records), sensitive information (such as that from customers) and intellectual property (product designs etc.) All this can be classed as ‘critical information’, but it is useful to make the distinction.
- Device Use: What devices can people use to view company critical information, where and how? For example, can they use an Internet Café? With BYOD, what happens to the company data when they leave?
- Security Event Policy: What happens if an employee thinks they are being phished, who do they call? Or if there is an inadvertent data leak? Or if there is a malicious attack?
- Security applications / updates: This is particularly required for BYOD, but can also be for corporate devices as well. In essence, if there is an update, it should be applied. People shouldn’t switch off anti-virus, and keep their virus definitions up-to-date, or other required security applications.