Data Security

Follow any of the major news organization in the world and you will most likely hear information about how some company released customer data or had a security breach where information was stolen. Regardless of their size, all companies have information that needs to remain private. This sensitive data could prove embarrassing or even costly to corporations if leaked or stolen. How do corporations know that the individuals that are responsible for guarding the data aren't a risk themselves? Background checks, in depth investigations and random screenings of employees may be necessary for corporations to ensure the safety of confidential data from leaking into the wrong hands. Safeguarding company data involves setting up roadblocks, both for in-house employees and possible outside threats. In order to protect this information companies need to institute checks and balances for both internal and external sources that access the data. Publicly traded corporations in the United States are legally responsible for ensuring that the access and management of sensitive financial data, customer health and payment information is protected. Congress has enacted recent legislation such as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996 to help govern data security and customer or patient information. Research has shown that that many companies do not have clearly defined security policies governing the handling of sensitive information, putting them at risk for a potential data breach. For companies that have invested in the creation of policies, communication to employees to ensure awareness and appreciation of security practices and the enforcement and compliance of these policies is often inadequate. Corporations must take a proactive approach to ensure that sensitive data is secured, that the guardians of the data are trained on maintaining and monitoring proper access and they institute compliance to safeguard customers and shareholders.

Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide.(Mark, 2008) Over the past several years, there have been many reports of data breaches at some of the largest corporations in the world. Insider threats have resulted in the theft and release of customer information in numerous cases. While security policies pertaining to employees are essential, it is equally important for companies to address security issues that are transparent to most employees. It is critical for companies to define and enforce policies dealing with the storing and destruction of data. Inadequate security practices can have serious consequences for a company. In addition to the potential loss of customer or sensitive corporate data, companies will see increases in theft of equipment, business disruptions and operational expenses. More often than not, companies will see a decrease in productivity any time a security incident occurs. Even though these risks are evident, Information Technology professionals struggle to implement and enforce standard security policies. Lack of direction by senior staff members, unproductive training measures and unrealistic process can leave employees confused or frustrated which in turn leads to bypassing or simply ignoring security procedures to accomplish defined objectives. It is commonplace that the lack of communication about a company's security practices begins during a new hire orientation or as part of the onboarding process. Many companies attempt to discuss their acceptable use policies but education about the seriousness of maintaining confidentiality with company and customer data may not be reinforced.

The practice of disseminating policies and procedures is as important as the creation of the policies themselves. The best written policy and most well thought out procedures will have negligible effect decreasing security risks if employees aren't properly trained or don't comply. At one time, simple communication efforts might have been enough to communicate the importance of security policies. Evidence of this can be found in an InfoWorld article published in November, 2001 that explains that distribution of policies can be done successfully via email or by simply including them in a new-hire packet for the employees to read. (Andress, 2001) Increased threats and the proliferation of Internet access make it a necessity to increase awareness of defined policies and practices concerning the security of information. After security policies have been created and communicated to employees, it is critical that policies are applied consistently. During the creation of the policies, keep in mind that the more difficult a policy is to adhere to, the more likely it will not be followed. Additionally, introducing a large number of policies or policies that are difficult to comply with can be confusing and unmanageable. Companies can achieve a higher level of compliance by creating realistic and practical policies that are aligned to existing business processes that employees are familiar with. By extending or modifying existing practices, employees can work in a similar fashion to what they are accustomed to, lowering the risk of non-compliance. Simultaneously, creating policies that align to job requirements that target a specific audience makes compliance easier without sacrificing job quality. By tailoring policies to a smaller audience, language translation and specific examples can be provided to make a higher level of observance possible. Safeguarding company data involves setting up roadblocks, both for in-house employees and possible outside threats. Companies can enrich the safety of their data by moving away from complying solely with existing laws or regulations and instead creating a culture of integrity and responsibility. Company culture should foster a concern for not only the law but also place an emphasis on employee responsibility for expected behaviors. (Culnan & Williams, 2009) The use of contract resources to extend staff requires companies to take additional measures to prevent unauthorized access to sensitive data. Companies must make is clear to their vendors that they are expected to comply with pre-sales evaluation processes and should be contractually obligated to allow ad hoc and annual security assessments by internal audit teams or independent security consultants.

The most commonly perceived sources of a data breach are inadvertent data loss and intended data theft by legitimate personnel.("Protect Data," 2008) In many instances, a resentful ex-employee is a larger threat to a company's security than a foreign source may be. Employee violations of security practices are most often due to negligence or ignorance of defined security

...