There is a lot of talk at industry IT conferences and I hear
the frequent answer to the proverbial question:
“What is it that keeps you up at night?” Answer: SECURITY.
Most of us leap to the concern about ‘outside hacker’ breaches.
But the times and conditions effecting security are undergoing ghostly and
ghastly changes.
Can there be a stronger wake-up call than this massive SONY security
breach? From what I am sensing this is looking more and more like a blended
‘inside/outside job’. Horrific to digest, if proven to be true. It’s always easy
to place blame and focus upon outside ‘hacker attacks’ but the Darwinian
evolution of criminal methods that motivate subterfuge and extortion are gaining
traction. Working from the ‘inside’ is in the end a most productive criminal
methodology (ref: also, Snowden). History in business, government, religion and
crime teaches that time and time again infiltration can turn any organization
into…well a mess. It is my forecast that we will see ever more ‘insider’
infiltrations.
Oh the humanity!
So, here are 13 rules of the road ahead: (Some may charge
me with fostering a ‘police state’ mentality…well so be it, because without it
you will be the one calling the police.)
1.
Establish, follow and audit a records retention
policy. So much – too much- is kept unnecessarily and while the records may be
old doesn’t mean that those records and documents are not embarrassing if
disclosed or not valuable to thieves.
2.
Records retention and destruction should also be
automated. Don’t rely on human governance. I KNOW it can be done better by a
‘machine’.
3.
Only use digital file stores that can give you
on demand audited access reports.
4.
Make it a practice to (very) frequently sort and
analyze that ‘who accessed’ documents. Learn exactly who is looking at what and
why? Look for patterns or high usage or volume activity.
5.
Be suspect of individuals ‘eager to help’
seeking access to systems not in their domain. Have a clear documented policy as
to who can access which systems.
6.
Be excessively wary of staff hired on as ‘temporary’.
7.
Don’t allow the use of ‘Freemium’ or ‘rogue’ document
file stores. YOU must be in control of the password access.
8.
Establish stringent permission controls of
‘storage domain’ access – who can see what? Who can re-transmit what?
9.
Make it known as published policy that all
e-mail is subject to review and will be checked. And, check it.
10.
Install a ‘web-site’ visit monitoring and
reporting system that shows management who is visiting which web sites.
11.
Establish a clear policy specifying what
software and apps are allowed on company IT equipment. Install an automated
monitoring system that scans each system for violations.
12.
Make it known that sharing of passwords is a
punishable offense. Test it and enforce it.
13.
Have an HR dismissal IT checklist procedure in
place to be followed that enables a comprehensive, across the board shut down
of all access to all systems- and a method for doing so – swiftly.
A specialty of mine is digital document
management systems. So which one of you want be the first to be exposed as
having had your resident files and HR files go missing or ‘stolen’ via the use
of some ‘freemium’ or ‘rogue’ file storage system? I see a line forming. You
may not think you are in that line but if you allow the use of such systems…you
are. In the technology world I live and work in I am constantly amazed at the attitudes
I encounter. I KNOW that you can EASILY audit every access, use and
viewing of every digital document IF you control them. But if they are on some employee’s personal
‘free file store’ you have lost. Again, talking ‘insider’ here. It may not even
be a purposeful criminal but someone who decides to retaliate due to some
perceived injustice or treatment. One bad moment…one click and there you have
it. The personal data of your residents, employees and business partner
contracts in all their glory for all the world to behold. Yummy.
As always, I am here to help. Send me an e-mail at mike.radice46@gmail.com if you want to know my choices for digital
document storage systems that will lower your exposure and risk. I have three
in mind.
Mike