Have you ever wondered about the value of a single document
or digital asset to your work, your livelihood or even life? Maybe the file
contains a contract or evidence to support a claim, a deed or last will and testament, an insurance
policy, years of research, or a business plan. Perhaps interview notes from anonymous
sources for an investigative article. Is the file worth protecting? Is it worth keeping confidential?
The marvels of technology make nearly every digital action
we take more convenient. Yet, when it comes to security, “easier” can often
mean lazier and an open door for attacks that could threaten your business. The
same level of effort that went into creating your document or digital asset should
also apply to how files are protected when they are stored, accessed and shared. And it’s not only a technical job. Time spent training users, changing behavior or bad habits, managing the process and monitoring compliance can fall on your shoulders.
A few years ago, TechRepublic ran a great article called “Chasing the elusive approval for an IT-security budget.” The piece talked about inherent and residual risks and how IT managers can make a business case to help non-tech management understand associated costs. The article also shed light on: “When is the cost of reducing risk more than the cost of having the risk occur?”
A few years ago, TechRepublic ran a great article called “Chasing the elusive approval for an IT-security budget.” The piece talked about inherent and residual risks and how IT managers can make a business case to help non-tech management understand associated costs. The article also shed light on: “When is the cost of reducing risk more than the cost of having the risk occur?”
That reminds us about how digital risks, consequences
and occurrences apply not only to enterprise IT but also more granularly to files
and to every file creator or collaborator. While tech security is vast and
complex, the answer regarding costs for reducing risk at the file level should
never exceed costs of having the risk occur. Part of the solution is finding a
security-equipped application to protect your files. And some of those costs
equate to seeing how that application can complement work flow and get used regularly.
What is your file worth?
What is your file worth?
The worth of the file, of course, is related to the
information digitally encoded inside. As a file creator, your job should always
be to make sure your work is stored, accessed and shared in the safest ways
possible. Potential damages from a data leak or attack should keep you up at
night. Lawsuits, stolen trade secrets, adverse affects on stock prices, broken
client relationships, professional ethics infractions, missed business
opportunities, infighting, a tarnished image and more are real consequences
from negligence. Instead of considering the likelihood that these events will
occur, anticipate that they will happen if you do nothing.
Given the consequences, consider whether the same protections should apply to all files. Ask yourself if every file is equally important and if you should treat them the same when saving, storing and sharing. The answer will be “no” unless you are creating the same document or form over and over with no variation.
Given the consequences, consider whether the same protections should apply to all files. Ask yourself if every file is equally important and if you should treat them the same when saving, storing and sharing. The answer will be “no” unless you are creating the same document or form over and over with no variation.
To make that assessment for each file, or category of file type, ask yourself what would happen if that private information suddenly disappeared or became public. Based on your knowledge of what is inside the file, ask yourself:
- “What will people mentioned in the file (or related to the file) lose?”
- “What will I lose?”
- “What will we (those mentioned in the file, you and your organization) lose?”
In a similar way, consider what the price tag could be to
remedy such a loss. Kaspersky Lab and B2B International recently issued a global study of more than 5,500 IT specialists that found attacks cost small businesses an average of $38,000 per incident in 2015. In addition to your billable rate and intellectual
property, what costs might surface related to lawsuits, crisis planning, penalties
and fines, repairing relationships, managing media relations, discounting
products or services, or passing up business opportunities due to the
distraction? You may not know exact costs but can surely get a feeling for low
to exponential levels of effort toward righting a mishap or catastrophe.
Here are 10 basic questions to consider:
1. How are your important files saved (local, network or
cloud) and what levels of security protect them (are there backup, co-location
hosting, virtual private servers and redundant hosting service available)?
2. What encryption methods are used (AES with 128, 192 or 256 bit keys, RSA and/or 3DES) when files are accessed and stored, and sent in
transit (TLS)? Who created the system and has it been 3rd party tested?
3. Do you have both personnel and technical solutions for
managing secure file access?

5. What are password requirements and how often are password changes required?
6. What options are available for multi-factor authentication
of invited file users?
7. What are document, network and cloud-level permissions?
8. What are administrators and users able to do with the file (read-only, saving, editing, deleting)?
9. If your cloud provider promises “convenience” features like file synchronization between a local device and cloud storage, what security precautions are in place if your device is lost, stolen or attacked? If they promise to wipe your data remotely, how does that really work?
8. What are administrators and users able to do with the file (read-only, saving, editing, deleting)?
9. If your cloud provider promises “convenience” features like file synchronization between a local device and cloud storage, what security precautions are in place if your device is lost, stolen or attacked? If they promise to wipe your data remotely, how does that really work?
10. How, when and where are your files retained and
disposed?
Whether you work for a small business or multinational
organization, maintaining vigilance for file security should be in everyone’s job
description. At the file level—where you are a factor—the
costs of reducing risks by taking precautions should be a fragment of the sum
of having the risks occur.
Your Call of Duty
Ask your IT and legal departments about a process for securing
files. As part of the process, watch out for tools that promise to automate or connect to everything or seem so complex that the user experience leaves you scratching your head.
Remember that a solution is only effective if it's regularly applied. In addition to a policy and proper tools, do you have a checklist in place for users that includes key manual security measures for important documents? If answers are not within easy reach, you and your organization are at risk. If you don’t have an IT or legal resource and don’t have answers, then you have a bit of research to do.
There are plenty of experts and applications available to help, plus SANS Institute’s, Qualys’ and Kaspersky Lab's assessment and awareness resources with tools, tips and training. The good news is that you can improve your file security situation quickly and reduce your exposure by assuming greater accountability and following best practices.
Remember that a solution is only effective if it's regularly applied. In addition to a policy and proper tools, do you have a checklist in place for users that includes key manual security measures for important documents? If answers are not within easy reach, you and your organization are at risk. If you don’t have an IT or legal resource and don’t have answers, then you have a bit of research to do.
There are plenty of experts and applications available to help, plus SANS Institute’s, Qualys’ and Kaspersky Lab's assessment and awareness resources with tools, tips and training. The good news is that you can improve your file security situation quickly and reduce your exposure by assuming greater accountability and following best practices.