When (If) we think about data security for our businesses we tend to believe if we have a firewall and antivirus in place we are protected . . . if this were only the case. There are so many other aspects of data security that we have to consider on a day-to-day basis. Here are a few of the most commonly overlooked areas of business data security.
Do you have a formal policy for cell phones? Is there a lock feature or PIN they must enter in order to access the phone? What is your action plan if they lose the phone or if it gets stolen? Can you remotely “wipe” the phone through your Exchange server? These are things that need to be considered if your employees are receiving company email or if they keep company and client contacts on their phone. There are many features in exchange 2007 and 2010 to assist with securing or protecting the mobile device. Also, if you have iPhones in your organization we would recommend using the password lock feature. The key is to have a formal procedure and to ensure your staff knows that management needs to be notified immediately if a device is lost or stolen.
Password Change Policy
How often are end users required to change their password? 30, 60, or 90 days? Ever? We recommend at least 90 days, but 30 or 60 is much better. One of the main reasons we encourage frequent password change is employee turnover. In the event an employee is terminated and they know someone else’s password within their organization there is a chance they can still access the network remotely using another end users credentials. It is simply a lot more practical to change passwords at regular intervals as opposed to each time an employee is terminated. One last note, always encourage your team to never share their credentials with other end users.
Do you allow remote access? Is it secure? Is it open for everyone? If you are like most businesses and remote access is allowed and encouraged from a productivity perspective it is best to keep access simple and manage what users can use the service. Another factor to consider is knowing what information they can access and pull off the network remotely. Remote access is necessary but you need to be sure you have a strong policy for managing it and ensuring the service can be turned off for users who are no longer with your company. We also recommend that you test your external IP addresses for any vulnerabilities.
We cannot express enough how each of these topics are not IT decisions, rather they are BUSINESS decisions. We do not need to tell you how important your data is to your business, but if you are not looking at security best practices on keeping sensitive data secure then you need to be. Take a look around your business and consider how many mobile devices are leaving the door each day with either data stored locally or with the ability to access the data remotely. Ask your team members if the data is secure and how it is secured. Make sure you are comfortable with the answer, if not then reach out and let us help.