Security Step 5: Secure Your Sensitive Data
The security and integrity of your data is of paramount importance, as practices typically have large amounts of confidential and sensitive information about clients. Not only do you have an ethical responsibility to protect this information, but often times, a legal responsibility as well. So what are some things you can do to meet these obligations?
Data in Motion
When handling sensitive information within a web browser, always make sure the address starts with “https,” which indicates a secured connection. Data transmitted over a properly secured connection is encrypted and prevents an attacker from tampering with or accessing the information sent. Most browsers will highlight the address bar in green or show a closed lock to indicate that the connection is secure.
Beware of websites that may have misconfigured or outdated security. Avoid using any website that the browser flags as having an untrusted certificate, as the site or the connection may be compromised. For example, the browser might display a message stating “The site’s security certificate is not trusted” or “There is a problem with this website’s security certificate.”
Data at Rest
Data stored on your computer or a network storage device also needs to be secured. Most modern operating systems support “whole drive” or “whole disk” encryption. Once enabled, you can be comfortable knowing that if your computer is ever lost or stolen, the data stored on it cannot be accessed by anyone else. To get started using whole drive encryption, search for “BitLocker” from the Start Menu on Windows Professional, or FileVault on Mac OS X.
For data that is backed up off of your computer, or that needs to be transmitted to other parties, file encryption is a must. Applications such as SecureZIP and OpenPGP implementations like Gpg4win (Windows) can secure your own data for storage, as well as ensure protected communication to third parties.
Data in the Cloud
Confidential information stored in cloud services, whether for archival or operating purposes, must usually meet requirements imposed by industry governing bodies. PCI in the payments space, and HIPAA for healthcare data, mandate minimum encryption standards for data that is processed or stored. These standards often require ongoing audits by external parties to ensure continuing compliance. When in doubt about the ways a service provider protects your confidential information, always ask for their security practices and certifications.
Through this series of security tips, we have examined several steps you can take to secure the cyber assets in your office. From your network to your passwords, systems, and data, your firm should now be on a stronger security footing. Unfortunately, security is not a one-time event. Technology changes and new threats continue to emerge, but the practices discussed in this series continue to apply. As your office changes over time, keep your asset inventory up-to-date, and use the steps of this series as a simple checklist for maintaining the security of your practice.