Is A Remote Wipe Policy Good For Business?

Is A Remote Wipe Policy Good For Business?

It’s a dilemma that faces business managers every day.

When they bring in a new hire, somewhere in the midst of the paperwork is a clause about the internal Bring Your Own Device (BYOD) policy. It gives the company the right to remotely wipe a lost or stolen phone or tablet, or to wipe any company related data at the moment an employee leaves.

But do people really understand the implications of what they are signing? Studies show the answer is no. Personal is personal; business is business. Yet when the two are co-mingled, the rules suddenly change.

As more organizations adopt BYOD policies as employees acquire a wide variety of smartphones and tablets for every day use, stricter guidelines must occur to keep company data safe. Yet for many employees, they worry equally about the personal data that invariably makes its way onto their devices.

Which is where the trouble begins.

As an organization, there are three basic reasons for wanting to remote wipe the contents of a mobile device:

  • The device is lost or stolen
  • The device belongs to an employee who quits or is fired
  • The device contains malware and security issues that are effecting the network

Time is imperative in all situations to keep the company data safe.

Yet when an employee highly values his or her personal data, they may delay telling the IT department of any trouble because they fear the consequences of losing all of their files. These delays cost businesses significantly.

In order to use remote wipes, three options are available.

1. Use your mobile provider

Every phone comes with a factory reset feature that will reset all user settings, delete all third party apps and return the device to its original factory settings. The cellular provider can explain the easiest way to execute this feature.

Most phones also have a feature that allows you to wipe your device even when it is no longer in your presence. If you have an iPhone, for example, you can register it with iCloud and use the Find My Phone app to wipe the device at any time. The key is enabling the feature before it is stolen or misplaced. Not the safest method, but it can be a good starting point to get employees to take ownership of mobile security.

2. Use encryption

IT can install an app that will contain and encrypt all data used for business in a special folder on the device. This can be useful because IT can access the container and make changes as they desire, while leaving the rest of the device content alone. This would give IT the option of wiping the entire contained section as needed, or in the case of an employee moving to a new department, delete and add new content based on requirements. This also provides an extra layer of protection as the device couldn’t be accessed without the proper authentication key in place.

3. Use outside software

There are many outside vendors that offer special programs to help IT manage data and devices, and in many cases are bundled with other services to make remote access easier. For instance, Microsoft Exchange ActiveSync (EAS) has a feature that allows users to request remote wipe to return it to factory condition. The downside of using systems like this is the device has to be connected to the Internet and turned on in order to wipe the data. This can leave the device at risk indefinitely.

No matter which policy is the right solution for your company’s data, the important thing is to keep your employees in the loop. If you stress you will never erase their personal data, they will be more likely to submit problems as they occur. If you stress how valuable the company’s data is, they will be more likely to take action.

What is your company’s remote-wipe policy?

Do Your Policies and Procedures Really Promote Better Security?

Do Your Policies and Procedures Really Promote Better Security?

When was the last time you made changes to your security policy? When was the last time you considered how the procedures impact your business?

According to a survey conducted last year, 43 percent of businesses dealt with some type of data breach at some point during the previous twelve months. And with the number of threats out there in the world increasing every day, that number won’t shrink any time soon.

A security policy won’t prevent a data breach. But having strong policies and procedures in place will ensure that employees better understand how to prevent breaches, and what to do if one takes place.

While not having a policy in place is reckless, not reviewing it and updating it in a world that is constantly changing can be hazardous too. Security should always be evolving. If you are looking for ways to improve your security policy, consider these basic points.

Simplify

We’ve all been involved with organizations that choose to define every last detail. Even the simplest of concepts is written out and defined in binders of information. Yet keep in mind that the more content there is within your security policy, the less likely it will be read by the masses within your organization. Time is a commodity we have little of. A binder (or two or three) may satisfy a security audit, but it won’t do much to improve security within your business.

Relevancy

Does your security policy truly match the way your employees work? In many cases, the ones that write a security policy don’t take into account the way employees do their jobs. Today’s employees use their own devices on a day to day basis. Departments choose programs based on needs to get things done. Cloud computing is at an all-time high, with more moving to cloud based services all the time. If your policy assumes anything lower than what is actually occurring within the organization, your data can be at risk.

Automate

Employees are more likely to adhere to policies when they become repetitious and automated by nature. If an email automatically flows through a central policy engine before being released to determine if it needs encryption, for example, you take the human factor out of the process.

Find your biggest threats

Many security policies clearly define how to handle external threats. Yet in many cases your biggest threat is no further than the office next door. No matter how many times an employee changes their password, or what apps they have installed on their smartphones, if an employee wants to do damage, they know where vulnerabilities lie and how to move around them quickly and efficiently.

Most IT professionals will list employees not following procedures as one of their biggest threats. Yet in many cases, they aren’t providing the proper policies and training to change the situation.

Policies need to be created with the way employees work. Clear training should then be provided to give employees a better understanding of expectations. It’s not something that occurs once when an employee is hired on, especially in this fast-changing world. Technology has a short shelf life; to not recognize it and train accordingly on a regular basis is to increase your internal risks.

Any policy written without review two years ago or longer probably has significant holes in the process. If you haven’t reviewed your policy, or trained your employees accordingly in that time frame, your internal threats are very real.

3 Excuses Businesses Believe That Put Data At Risk … Do You?

3 Excuses Businesses Believe That Put Data At Risk … Do You?

Today’s best run companies are moving away from their “no” and “slow” policies on security, and are making better managed, more enhanced business decisions that support their efforts both in the present and in the near future. Security doesn’t have to be difficult, but it does take the mindset and the aptitude to learn to run it like a business, no matter how large or small your operation is.

Excuse #1 Security is a plug and play system

Every business, no matter how big or small, has a variety of risks associated with doing business.

Your data may be at risk when an employee surfs the Internet, visiting sites that allow viruses and other harmful programs to have instant access to computers.

Your client files may be at risk if they are not properly guarded.

Your documents and archives may be at risk if they are opened and used on unsecured programs and devices.

And that’s just the beginning.

Yet many businesses approach data security in a plug and play way. They purchase one off-the-shelf system and expect it to work for everything. They piece together a few inexpensive modules and expect it to offer full coverage.

Yet to be fully covered, you have to start by looking at where all of your risks exist, and choose programs and devices that leave you fully covered, internally and externally.

Excuse #2 Current security practices have worked well in the past

Most businesses have a hard time keeping up with the ever-changing world of security. Security challenges typically fall into three categories:

  • Complex, individualized threats
  • Increased regulatory pressures
  • Protection from ever-changing technology (mobile, social, cloud, etc)

Yet because each of these threats can change every day, it’s difficult for most businesses to develop strong policies to compensate the risk. IT departments must deal with legacy systems, perform with lower budgets and smaller talent pools. There also tends to be a lack of visibility throughout the company, understanding what information is truly critical, its worth, and having different levels of management understand the difference.

As a result, many companies exist in reactionary mode, choosing new technology based on “coolness” rather than how it fits into the overall system.

Excuse #3 Security is one small department within the business

Especially for upper management, it’s easy to push aside security risks and allow the IT department to handle all aspects. IT security is often thought of as a black hole division – upper management may not truly understand the risks, and it’s even more difficult to demonstrate cost justifications for new and upgraded features.

Senior executives must be involved in the decision making process of choosing security systems to take full responsibility for the risks of the business. We recommend a systematic approach from beginning to end, from the collection of data, to performance, to analyzation. This should cover all aspects of the enterprise, including financial impact, vulnerabilities, asset management, incident and threat reporting, and full compliance information.

Reducing your security risk doesn’t have to be difficult, but it does take a well thought out plan. No matter how long your security plan has been on the back-burner, there’s no better time than today to change and bring it to the forefront of conversation.

What Is Data Encryption And Why Do You Need It?

What Is Data Encryption And Why Do You Need It?

Remember the last time you flew to another city for business; hectic, right? You waited in line to go through security, and once you reached the scanning equipment, the emptying process began. All electronic equipment must be pulled out of your bag. Shoes off. Belt off. Remove all liquids. The process went on and on.

You walked through and if you were lucky, you weren’t pulled aside for a second check.

Then the repacking and redressing process began.

What if your laptop wasn’t on the other side? What would you do? What would you lose?

We never think much about security … until we need it. All of a sudden, it’s all you can think of.

What about the files sitting on your desktop that have sensitive data in them? What about your emails? Is your tax information easily found in your document file? What about the spreadsheet with passwords from every system you access?

Dread can quickly fill you with despair.

That’s where encryption comes into play, and why it’s an important aspect of any business security system. Encryption is simply the process of changing information and making it unreadable by anyone except those that possess the “key” to change it back to its original, readable format.

Not every file on your computer is candidate for encryption. There are two easy questions that can help you determine which files to encrypt:

If this file were in paper format, would I shred it before throwing it away?

If this information were leaked and posted online for the world to see, could there be serious consequences or could someone do something malicious with it?

Start with any kind of information that can uniquely be identified with you. Because thieves can quickly begin using personal information to steal your identity, anything that provides links to your personal data should be blocked:

  • Full name, including maiden name, mother’s maiden name, alias, etc
  • Social security number, passport number, driver’s license number, bank accounts, credit card numbers
  • Address information
  • Personal characteristics, including photographs, fingerprints, handwriting, voice signature
  • Any other linking information, such as date of birth, place of birth, weight, activities, employment information, medical information, education information and financial information

Then extend it to all business data that is sensitive and confidential by nature:

  • Any personal employee information, including employment records, reviews, etc
  • Any data that identifies customer information, from names and addresses, to credit card information
  • If you work in banking, finance, or health care, for instance, you’ll also be subjected to regulatory standards for protecting customer information
  • Any trade secrets or intellectual property, such as research, product releases, patents, legal documents, financial reports, special projects, etc.

Luckily, there are many systems available to help you make the encryption process easy. Use your Disk Utility program on Mac, or choose an open source system like VeraCrypt, 7Zip, or GnuPG, all of which offer strong features for all systems. Make sure not only the files on your laptop are safe, but also anywhere else the file may be found, such as your backup files or the email you used to send the file to a teammate.