|In protecting a business, it seems instinctual that one would set the alarm and lock the door when leaving. However, when it comes to valuable client information, an alarm system is not enough. Today, the greatest threat to a company’s security is already on the inside.
According to Deloitte’s annual security survey, the most significant risk to a company is its people. Intentional or accidental, because of human error or someone capitalizing on it, many organizations are closer to a breach in network security than they know. This is part of a growing phenomenon known as social engineering, which is the art of exploiting human error in order to gain access to buildings, servers or data.
For professionals such as accountants and lawyers, the consequences of such a security breach can be devastating.
From sensitive financial documents, to social insurance numbers to proprietary client information, all of this can be stolen in an instant, putting clients at risk and a company’s reputation on the line.
A walk past desks in an office may reveal several security violations. These include:
In a large office, these mistakes can be devastating because anyone can walk in and pretend to be a delivery person or a supervisor and gain access to passwords and confidential data right off of someone’s desk. Many of these risks can be easily avoided with proper precautions.
A common phrase in the IT industry is that “security is a moving target.” This is apt and, as such, your approach to mitigating the risks must also be ever evolving.
Security measures to protect your systems, your data and your clients’ data must be a layered approach, combining robust security technologies (properly suited and configured for your environment and kept up to date), strict policies governing your employees’ conduct and standard operating procedures, and continuing and structured education for staff regarding risk recognition and mitigation.
Some points to consider are as follows:
In order to determine the potential security issues in a workplace, consider performing a risk analysis. This will help to identify how effective the security measures are and whether employees are adhering to the policies and procedures in place.
This remains a challenging activity as technology changes so rapidly, but there are tools and methodologies that can assist IT professionals in minimizing risk to an acceptable level. The steps involved are:
To aid in identifying vulnerabilities, consider performing a penetration test, also known as ethical hacking, to attack the network using known threats, comparing internal documentation on operational or management controls in the area of IT security to known “best practices” (i.e. ISO 17799) and then comparing the actual practices against the company’s documented processes.
When considering the security of an office, it is imperative not only to worry about preventing people from physically entering the building but to ensure that the data and systems inside are protected from intruders.
Neglecting to do this will not only put security of sensitive client or company information at risk, it could ultimately compromise the company’s reputation.
Lawyers Weekly, 4/20/12 Douglas W. Grosfield, Cambridge, Ont.