Poor network policies and practices
Introduction
Businesses often do not have robust and well-thought through policies for reducing the risk of data loss by one method or another. This might be because the business has grown and it hasn't been a priority. It could be that the business has just never thought about the problem or it might be because they don't have the people with the right expertise to advise them.
Risk Assessments
Wise businesses are those that carry out regular Risk Assessments by outside experts in the area of data security. A Risk Assessment identifies the different risks that can result in data loss in a particular company and advises the company what to do about it. A specialist Risk Assessment company will spend time with a business, looking at their policies and their practices. They will talk to employees, the managers, look at the security measures in place and may carry out controlled probing of a system to test it. They will also look at the way that data security is managed, who has direct responsibility for security and how reviews and testing of systems take place,
Poor policies and practices in businesses
Many of the accidental data breaches that happen occur because of poor training, poor policies and poor practices. it is the responsibility of the management of a business to put in place robust policies and to ensure good data practices. They must ensure that data security training and re-training occurs regularly, appropriate to each employee's needs.
Examples of poor practices by businesses:
-
- Allowing employees to save data on unencrypted USB flash drives and other storage devices.
- Not having policies in place and preventative measures to stop employees removing data from the place of business.
- Not ensuring strong password procedures and practices are in place.
- Not providing sufficient training and retraining to all employees.
- Businesses not having robust or regularly tested back-up and archiving procedures for all data to minimise data loss.
- Businesses not having procedures to ensure staff do not install third party software, do not use the company hardware and software for private uses and do not use personal cloud storage accounts for work.
- Employers not carrying out Risk Assessments on data security issues.
- Employers not making sure that named employees are responsible for areas of data security, policies and practices and making sure that named employees are responsible for reviewing and challenging data security policies and practices.
- Employers do not take sufficient steps to ensure that each employee has access only to the data they need to do their job.
Employees will always make mistakes. Companies who acknowledge this, carry out detailed Risk Assessments in advance, have robust policies and procedures in place and take data security training of employees seriously can minimise the impact when an accident happens.