It comes as no surprise to me that organization’s most sensitive and critical documents are still stored in unstructured files and documents that are commonly subject to data loss and leakages. The focus of IT security professional in most modern day organizations has been towards securing networks and databases while neglecting the most important aspects of information that resides in files and documents. Given the proliferation of smart phones and devices that are connected to the internet securing the information stored on such files are becoming of pivotal importance and any lapse can be detrimental for organizations information security policy.
Lately, many organizations knowingly or unknowingly have allowed their employees to be more productive by embracing apps, software’s and storage devices without giving a thought to the security of critical documents. Some common scenarios that I have come across recently are:
- Sending of official documents/files without encrypting or password protecting them using personal email accounts such as Gmail, Hotmail and Yahoo.
- Transfer of confidential data using USB, memory cards and external hard disks and in plain text format.
- Uploading of sensitive data on public storage services as Dropbox, one drive and Google for accessing on other internet connected devices.
- Sharing of folders on public networks with access permission set to “everyone”.
- Sending of confidential files and letters using communications apps such as Whatsapp, Viber, Tango and Skype.
- System administrators failing to understand the number of file sharing software’s being used on the system in workspace environment.
- Installing unverified software’s as protector against malware, spyware, Trojans and viruses.
In any organization controlling everyday sensitive files and documents is becoming more complex and difficult than securing databases. The primary reasons are firstly employers fail to deliver a safe working environment where productivity is not compromised and secondly employee’s fatalistic attitude towards data security. Given the recent rise in hacks and leakages of sensitive data like Panama papers and previous to that Snowden leakages that is still making news despite passing of almost three years since its revelations reminds the need of the hour for organizations to invest in information security control mechanisms. Organizations that want to stay in business and flourish in the information economy need to make critical considerations on:
- Controlling and limiting access to all important documents on any connected device and ensure files are encrypted.
- Adopting measures that prevents documents to be forwarded or shared maliciously.
- Removing access to documents once it’s no longer required.
- Control and handling of files and folders by limiting access on the foundation of need to know basis.
- Encrypting everything on any storage devices.