Protecting confidential information is a key part of your company's competitive advantage. With the proliferation of critical information in digital format, the risks of a security breach have increased, both to companies and individuals. We've all seen media reports highlighting a leak of customer personal information like ID numbers, account data, credit-card information, addresses, etc. The identity theft can be devastating to the individual and both embarrassing and costly to the company where the leak occurred.
Confidential information is not only restricted to customer or employee personal information, though that is important. It also applies to intellectual property that generates the tactical and strategic competitive advantage. This element is less visible. Many companies will not want to communicate to the public or to their customers that elements of their competitive advantage have been compromised. Sometimes, they may not even know it until it's too late.
At a high level, consider a three-step information security process:
The first step is to define confidential information; what specifically is important for your company? Customer and employee personal information certainly requires a high level of security. Beyond that, the company also needs to assess its intellectual property, perhaps grading it by levels of sensitivity. Intellectual property may apply to both tactical and strategic timeframes and is usually defined as areas that relates to product and technology roadmaps. Perhaps there are trade secrets in how the product is processed, or design features that will generate patents. Those are strategic elements. Tactical elements around price, demand or cost can also be highly confidential information. Bottom line, the first step is to define the information the company wants to protect.
In the second step, the company will need to define which people or groups should have access to which information. This can be a complicated task for a couple reasons, especially if elements of confidential material relate to the tactical execution of the company. Many groups will need to review and have input relative to the customer demand profile, supply availability or cost rollups. That includes the external supply chain. The company needs to carefully control what information flows to suppliers, balancing their need to meet supply dynamics with the company's need to protect its strategy and tactics. Often, companies will jointly sign non-disclosure agreements in which both parties agree not to share the other's confidential information.
Strategic information, such as new product roadmaps, can be easier to control because fewer people are involved. It is still critical to explicitly define who should have access to certain information and this list needs to be reviewed periodically. Employees rotate into new positions and they may not need to know the information in their new position.
Once the confidential information list and authorised users are defined, the third step is to set up the IT infrastructure to control the access and delivery. The infrastructure generally consists of two key elements: enterprise or endpoint security and mobile device security.
Enterprise systems secure the connection between the company's internal network and the outside world. A firewall blocks the access to the company's network from hackers, malware and viruses. Encryption is used to communicate between users on the network. The servers on the system are also "hardened," which means access to specific information is controlled to the list of authorised users for that information only.
Controlling the security of mobile devices like laptops is also critical. Employees travel and they work outside the traditional office. Laptops or mobile devices with confidential content can pose a significant risk. For that reason, many companies require encrypted hard drives on their laptops. Password or software-based encryption does provide some protection. The most complete approach is to encrypt the data directly on the hard drive, which is frequently referred to as FDE, full disk encryption. In this case, the encryption is not controlled by the laptop operating system; it is controlled directly on the hard drive where the operating system (and hackers) cannot access. Even if the drive is removed and placed in another computer, the data will not be accessible.
Protecting confidential information makes business sense. Decide which data is confidential for your company. Define who should have access to it. And, set up your IT infrastructure to control access, both at the enterprise and laptop level.
Jeffrey D Nygaard is vice president and country Manager, Seagate Technology. Follow his article every fourth Monday of the month.