Other Ways To Connect

Sunday, November 15, 2015

A Call of Digital Duty: Key Questions and Actions for Securing Your Own Files

Have you ever wondered about the value of a single document or digital asset to your work, your livelihood or even life? Maybe the file contains a contract or evidence to support a claim, a deed or last will and testament, an insurance policy, years of research, or a business plan. Perhaps interview notes from anonymous sources for an investigative article. Is the file worth protecting? Is it worth keeping confidential?

Stop Taking Security for Granted Because of Tech Convenience 
The marvels of technology make nearly every digital action we take more convenient. Yet, when it comes to security, “easier” can often mean lazier and an open door for attacks that could threaten your business. The same level of effort that went into creating your document or digital asset should also apply to how files are protected when they are stored, accessed and shared. And it’s not only a technical job. Time spent training users, changing behavior or bad habits, managing the process and monitoring compliance can fall on your shoulders.

A few years ago, TechRepublic ran a great article called “Chasing the elusive approval for an IT-security budget.” The piece talked about inherent and residual risks and how IT managers can make a business case to help non-tech management understand associated costs. The article also shed light on: “When is the cost of reducing risk more than the cost of having the risk occur?”

That reminds us about how digital risks, consequences and occurrences apply not only to enterprise IT but also more granularly to files and to every file creator or collaborator. While tech security is vast and complex, the answer regarding costs for reducing risk at the file level should never exceed costs of having the risk occur. Part of the solution is finding a security-equipped application to protect your files. And some of those costs equate to seeing how that application can complement work flow and get used regularly.



What is your file worth?  
The worth of the file, of course, is related to the information digitally encoded inside. As a file creator, your job should always be to make sure your work is stored, accessed and shared in the safest ways possible. Potential damages from a data leak or attack should keep you up at night. Lawsuits, stolen trade secrets, adverse affects on stock prices, broken client relationships, professional ethics infractions, missed business opportunities, infighting, a tarnished image and more are real consequences from negligence. Instead of considering the likelihood that these events will occur, anticipate that they will happen if you do nothing.

Given the consequences, consider whether the same protections should apply to all files. Ask yourself if every file is equally important and if you should treat them the same when saving, storing and sharing. The answer will be “no” unless you are creating the same document or form over and over with no variation.

To make that assessment for each file, or category of file type, ask yourself what would happen if that private information suddenly disappeared or became public. Based on your knowledge of what is inside the file, ask yourself:
  •       “What will people mentioned in the file (or related to the file) lose?”
  •       “What will I lose?” 
  •       “What will we (those mentioned in the file, you and your organization) lose?”

In a similar way, consider what the price tag could be to remedy such a loss. Kaspersky Lab and B2B International recently issued a global study of more than 5,500 IT specialists that found attacks cost small businesses an average of $38,000 per incident in 2015.  In addition to your billable rate and intellectual property, what costs might surface related to lawsuits, crisis planning, penalties and fines, repairing relationships, managing media relations, discounting products or services, or passing up business opportunities due to the distraction? You may not know exact costs but can surely get a feeling for low to exponential levels of effort toward righting a mishap or catastrophe.

For files with information containing a lot of value and exposure to risk, do not get lazy because you have never experienced an information security incident. After answering and acknowledging what will be lost and costs to rectify, you need to understand how files are currently protected and what a more ideal, vigilant state looks like for their security.

Here are 10 basic questions to consider:

1. How are your important files saved (local, network or cloud) and what levels of security protect them (are there backup, co-location hosting, virtual private servers and redundant hosting service available)?
2. What encryption methods are used (AES with 128, 192 or 256 bit keys, RSA and/or 3DES) when files are accessed and stored, and sent in transit (TLS)? Who created the system and has it been 3rd party tested?
3. Do you have both personnel and technical solutions for managing secure file access?
4. How is security maintained as files are shared with people and by others?
5. What are password requirements and how often are password changes required?
6. What options are available for multi-factor authentication of invited file users?
7. What are document, network and cloud-level permissions?
8. What are administrators and users able to do with the file (read-only, saving, editing, deleting)?
9. If your cloud provider promises “convenience” features like file synchronization between a local device and cloud storage, what security precautions are in place if your device is lost, stolen or attacked? If they promise to wipe your data remotely, how does that really work?
10. How, when and where are your files retained and disposed?

Whether you work for a small business or multinational organization, maintaining vigilance for file security should be in everyone’s job description. At the file level—where you are a factor—the costs of reducing risks by taking precautions should be a fragment of the sum of having the risks occur. 

Your Call of Duty
Ask your IT and legal departments about a process for securing files. As part of the process, watch out for tools that promise to automate or connect to everything or seem so complex that the user experience leaves you scratching your head.

Remember that a solution is only effective if it's regularly applied. In addition to a policy and proper tools, do you have a checklist in place for users that includes key manual security measures for important documents? If answers are not within easy reach, you and your organization are at risk. If you don’t have an IT or legal resource and don’t have answers, then you have a bit of research to do.

There are plenty of experts and applications available to help, plus SANS Institute’s, Qualys’ and Kaspersky Lab's assessment and awareness resources with tools, tips and training. The good news is that you can improve your file security situation quickly and reduce your exposure by assuming greater accountability and following best practices.
Show Comments: OR