You are here
Keeping information secure in the workplace
Today information is all around us and protection of workplace information is essential to companies large and small. Small and mid-sized firms are often vulnerable to attacks and data loss from both internal and external threats. The regulatory environment today places additional burdens on companies to comply with privacy regulations such as the General Data Protection Regulation (GDPR) of the European Union or the recently enacted California Consumer Privacy Act of 2018. Breaches cost companies millions in fines and reputational loss.
Protecting office records and information can be daunting but a few tips can serve to reduce your risks considerably. These measures take a collaborative effort with your IT professionals but there are many precautions you can take in the office.
Identify and classify
The first steps in protecting office records and information involve determining what is to be protected. Your business may have information on customers, clients, contracts with other businesses, supply chain contacts and personnel records. Protection of intellectual property should be a high priority. An inventory of assets including their locations, contents and access should be conducted.
A second step is the classification of information. Classification of information need not be complex—the less complex the better. A simple classification scheme, such as confidential, internal and public would work to alert employees as to the importance and distribution of content.
• Confidential—Personnel information, protected health information, contracts, intellectual property, customer information
• Internal—Workplace policies, internal communications
• Public—Web pages, social media, job notices, publications
With classification protective measures, policies for the protection of confidential information, may be developed and applied, whether for paper or electronic information.
The workplace today faces and number of internal and external threats. One of the primary means of access to data is via the communication networks of the office. Email and the telephone are often the means of gaining access to workplace networks and information.
Email is used to try to induce users into taking an action such as clicking on a link or opening a malicious file. This technique is known as phishing. An email may be sent to all email addresses of a company to induce one into opening malicious code to inject code into the systems giving access to an external unauthorized user.
Another way to access systems is to target specific users, such as human resources or accounting employees, with a specific action generally related to the business. This is known as Spear Phishing. An email seemingly from a reputable firm may arrive and a person act upon the communication. The best method of preventing such attacks is training employees to only open emails from known sources. Use of personal email on company machines should be avoided. Often malicious code may come from personal emails used on office machines.
One vector of attacking office systems is via the telephone. Office workers have received calls from the “Microsoft Help Desk” allegedly wishing to help you solve an imaginary problem. What they are doing is called a “social hack” to gain control of your system. Hang up on any unknown person trying to induce you to take actions.
The best way to avoid such scams in the office is new employee orientation, continued training and communication. When threats are detected they should be reported to your IT department. Employees must be aware of current threats and lessons learned from past experiences.
Devices in the workplace
Today people bring cell phones and USB devices to work. Many workplaces have disabled USB ports to prevent theft of information. Cell phones may also be used to remove content from the office. Policies about use of such devices should be made and enforced.
Upon termination employees should not remove content such as addresses from office machines. Create an exit procedure to ensure that employees do not remove content.
What about paper records?
Some offices become complacent because they believe that paper records are more secure than electronic records. This is not necessarily true. Breaches may occur with paper records. Disposal of confidential paper records with cross cut shredding, either in the office or via a shredding vendor is essential. The vendor should perform the shredding on-site, avoiding the transfer of records that may be released in the event of an accident. Even the release of internal records may be embarrassing to businesses. Blank forms and checks should also be shredded. Recycle bins and dumpsters are where many confidential information is found.
Paper records containing confidential information should be under lock and key and when removed from secure storage they should be tracked. Not only should they be checked-out but they should be tracked and retrieved after a period of time. If a file is not returned after a period of time, say 30 days, the owner or records officer should verify that the file exists and is to be held longer. Consider making the folders in loud colours for easy office identification.
One issue that has arisen is the use of personal cellular phones in the workplace. Today’s digital devices have cameras and it is too easy to photograph confidential documents. The best policies are for those working closely with the files to leave their devices out of the file rooms.
Information held in document management systems with passwords and permissions are secure. When users download and print to other systems the information becomes less secure. Printed copies not under control can be lost, put into recycle bins or taken out of the office. Orient employees to the pitfalls of printing or downloading to unauthorized devices. Taking confidential records out of the office, such as working from home, should be prohibited. Users desiring to work from home should be required to do so through an approved virtual private network (VPN). Your information technology shop should have policies for enabling this practice. Content within systems remains secure and any method that duplicates or removes confidential information should be prohibited.
Transmitting confidential information
The most common way we transmit information in the workplace is via email and office workers assume that email is secure. Email is not secure. Email is the primary target of hackers and once Too often confidential information is sent to the wrong people or it is reshared by recipients. Once you send information to another person you lose control of that content.
The best way to transmit information using email is via a hypertext link to a secure repository. Confidential files should be viewed from the repository via a link rather than sent in an email. This will also prevent information hoarding which itself increases the risk of loss. Repositories may be controlled so that if the email were forwarded the recipient would not be able to view the content unless they had permission.
Sometimes older records are left in old shared storage or in abandoned filing cabinets and these can be sources of personally identifiable information. Years ago information was often used without regard to the use of credit card or social security numbers. These legacy records are found in old email accounts, shared storage or even on hard drives. Review older or abandoned content for personally identifiable information. Retention schedules applied to records will help remove older unneeded records
Keeping records available and secure is about awareness, awareness of the content to be protected and how the information is used. Policies and procedures with training is essential to create a culture of security awareness in the workplace.
User comments posted on this website are the sole views and opinions of the comment writer and are not representative of Guardian Media Limited or its staff.
Guardian Media Limited accepts no liability and will not be held accountable for user comments.
Guardian Media Limited reserves the right to remove, to edit or to censor any comments.
Any content which is considered unsuitable, unlawful or offensive, includes personal details, advertises or promotes products, services or websites or repeats previous comments will be removed.
User profiles registered through fake social media accounts may be deleted without notice.