Wednesday, October 24, 2012

Risky Business: 5 Common Business Activities That Put Corporate Data at Risk

Most firms acknowledge that there is risk associated with the exposure of their confidential information.

This can be in the form of legal risk, if it relates to personal information, or competitive risk, in the case of commercial information, like trade secrets and client lists.

Most firms maintain security policies and procedures to mitigate these data security risks. These can range from adding passwords on smart phones used outside the office, to signing complex NDA agreements with third parties when confidential information is shared, like in an M&A transaction or a licensing deal.

However, while these measures provide some level of risk mitigation, many firms still continue to engage in risky day to day business activities that can jeopardize these efforts.
For the most part, these risky activities are an afterthought, as they center on three necessary components of every business person’s day – email, third parties and being out of the office.
Your confidential information is at an increased risk of being exposed if you engage in even one of the following activities:

1. Send confidential or sensitive documents to third parties via email


2. Share confidential or sensitive documents with third parties for a limited time


3. Access confidential or sensitive documents outside of the office


4. Transport confidential or sensitive documents using zip drives or hard drives


5. Store confidential or sensitive documents on your own servers in your office

Below are a few examples of what can happen if just one confidential document gets emailed to the wrong person, or a firm relies of ‘traditional’ methods to deliver sensitive information.

Flash Drives

In November 2011, the personal information of current and former employees at Regions Financial Corp was compromised after a flash drive went missing. The flash drive, which contained information about thousands of 401k retirement plan participants, including their names and social security numbers, was mailed by an external auditor to another one of its offices. To make matters worse, the flash drive was put in the same envelope as the decryption code, and when the package arrived, the flash drive was gone.


Email

In September 2009, a California judge ordered Google temporarily de-activate a Gmail account after a bank employee mistakenly sent sensitive data to the wrong recipient. When the employee realized his mistake, he immediately sent a second email, instructing the recipient to delete the email and attachment without opening it. When he got no response, the bank contacted Google to find out if the account was still active. However, Google would not disclose such information without a court order, so the bank had to sue Google to obtain the account holder’s name and contact information.


Accessing Data outside the Office


In August 2012, a software engineer for Motorola was sentenced to 4 years in prison for stealing trade secrets. The employee was stopped during a random security check at O’Hare International Airport in February and found to be carrying $31,000, along with hundreds of confidential Motorola documents stored on her laptop, four external hard drives, thumb drives and other devices. Prosecutors alleged that among the secrets she carried were descriptions of a walkie-talkie type feature on Motorola cellphones, which prosecutors argued would have benefited the Chinese military. 


These examples remind us that simple day to day activities could be putting your corporate data at risk, undoing all the things that security policies and procedures aim to protect.

Many firms are therefore implementing more secure document sharing methods, like virtual data rooms, to exchange information with clients and third parties.

A virtual data room is a cloud-based document repository used by business professionals to share confidential documents around M&A transactions, litigation, fundraising and government compliance. 

The administrator invites users into their online data room behind a secure login to review confidential documents. These documents are protected with 256-bit encryption and Digital Rights Management, allowing the administrator to control who can access certain documents and what they can do with them (e.g. view, print, or save). Administrators are also able to lock documents to an individual computer, or revoke access remotely, even after the document has been downloaded from the data room.

By using a virtual data room, the firm maintains complete control over how sensitive information is viewed, thereby mitigating the risk of it falling into the wrong hands. 

No comments:

Post a Comment