Determining Your Risks
The first step you must take is to perform a high-level risk evaluation. During this evaluation you should ask:
· What types of devices are your employees using (e.g. computing, storage, smart) for work activities? Where are they being used? What security controls are also used there?
· How many of the devices are owned by the business and how many are owned by its employees? How can information be removed from employee-owned devices? (This is especially important when employees no longer work for your business.)
· What devices are your business using to collect some type of data?
· What types of devices are being used to store information for your business?
· What mobile apps are being used? Once you know this: What information are they collecting? Who’s this information shared with? Who has access to all your business’ data?
· What type of training and awareness have you set up for your employees? Are there any confidentiality contracts in place?
Once you’ve made your way through this list, you’ll want to go even deeper in search of any risks or gaps there.
Create and Document Security and Privacy Policies and Procedures
With knowledge of your risks at hand, it’s time to establish documented security and privacy policies so you can mitigate the risks you’ve identified to an acceptable level. By giving your employees rules about all the different types of technology they use, you’ll have a major impact on your business — in a positive way. However, you must go beyond creating policies to also document procedures.
One thing you must remember here is that if your policies and procedures aren’t documented, you can’t expect employees to know they exist. This is why you must take some time to write down the following types of policies and procedures:
· Non-disclosure and confidentiality agreements should be signed by every employee when they start working for you.
· Processes regarding how you’ll get data from all your employees’ computing devices once they no longer work for your company. This should include reviewing with them how they’re under a legal obligation not to use the data for other purposes and what they should do with any information they had access to while working for your company. Reviewing the legal ramifications of all these things with them before the end of their last day working for you can save everyone a lot of time and trouble in the future.
· Information about what types of technology employees are and are not permitted to use while at work.
· Policies regarding where business information (e.g. information about customers, employees, patients; personal information) can and can’t be posted, shared, stored, etc.
· Requirements outlining how employees who use their own devices in unlimited locations should be trained to protect everyone’s security and privacy.
Identify Tools to Support the Policies and Procedures
Using network security threat tools will help you make sure your firewall is working well to prevent any possible malware. There are many different tools you can choose to use for this purpose. They include:
· Encryption for all types of data, including that which is at rest, that which is in transit, and that which you’re collecting
· Data logging tools are used for tracking data that your business needs about your business, customers, employees, and patients
· Remote tools that can wipe data off devices that ex-employees have used or that were lost or stolen
· Firewalls and anti-malware tools for all the devices your business uses
· Performing periodic privacy impact assessment (PIAs), risk assessments and audits
Train Employees to Meet Your Requirements
Unless you’re willing to take the time to make the effort to train your employees what to do, they won’t know what you expect of them. Not just any training will do. It must be effective, which means it must be more than simply handing them a document.
Send Occasional Reminders to Continue Encouraging Awareness
As time passes after training, employees will start thinking less and less about how to secure your customers’ information and protect their privacy. This is why you must continually and frequently remind your employees about taking steps to protect your customers.
Always Monitor Compliance
Creating rules for using computing devices and managing business data isn’t enough. You must also make sure that the rules you’ve put in place are effective. Putting the rules out there, then assume that they’ve been followed never works because there will always be some people who don’t understand, notice, or choose to follow the rules. You’ll also have some people who will forget about them or make mistakes. Any of these happenstances will result in incidents and breaches of your business’ information. To prevent this from getting out of hand, you must monitor how effective your policies and procedures are throughout your business.