We have many clients who go to great lengths to protect their data, from threats both external and internal. They’ve installed back-ups and back-ups to their back-ups to make sure that data is not lost by the fluctuation of an electrical current or due to an act of God. Their IT Departments are diligent about password protecting desktops, laptops, tablets and smartphones in case some nefarious person happens to gain access to the hardware.
There is, however, as far more common threat that does not rely for cover upon dark of night. Those threats are the technological mainstays that are flashdrives and Dropbox. Frequently used to enhance both productivity and collaboration, they can ensure an organization’s march toward the Mecca of zero downtime. But they conjure up the question, once posted to me as a child:
“If 7-11 is open 24 hours a day, 365 days per year, why do they have locks on their doors?”
When organizations come to us asking us to help them enforce a confidentiality agreement or restrictive covenant, sooner or later the conversation always turns to how they managed to keep their data secure. Frequently, the answer involves the careful locking of a door despite the absence of glass panes in the windows.
The fact is that more company data leaves the secure environment of the network on a permissive basis. There is often nothing prohibiting or limiting employees from taking files home or on vacation, thereby increasing the risk of loss. More often than not, the files are neither encrypted nor password protected.
The only way a company can eliminate this risk is to prevent anyone, including its most trusted and productive employees, from accessing data. The risk, however, can be limited by setting different authorization levels, automatically populating logs and generating reports of downloaded data – at least within a database or a particularly sensitive set of files. The use of applications such as Dropbox can be restricted and tracked.
Companies without security measures in place to restrict access to their data are asking for trouble. Equally as important, companies which fail to make their data migration policies known to and followed by everyone, are doing nothing more than incorporating failure into their process.
In order to be safe, both from theft and in the knowledge that a court will view your trade secrets as something you worked to keep safe, a company must bring its IT consultants into the fold and have them work with HR and/or its attorney to create and enforce policies and security measures that work. Giving IT a seat at the table doesn’t mean that the IT guys get their dream of 25 character passwords that change every two hours, but it does mean that you’ll plug the holes in the bottom of the boat.