It is 2013, and time for a bit of tough love. Here are five data governance matters that need your attention as soon as possible.
1. Enough of the Unencrypted USB Keys. December 2012 ended with Human Resources and Skills Development Canada reporting that a USB key containing personal information of Canadians had gone missing. Just months before, Elections Ontario apparently lost USB keys containing unencrypted personal information of Ontarians. The use of unencrypted USB keys to store or transfer personal information or any confidential corporate information is the number one practice that organizations should address in 2013. The solution is not overly complex. Just stop it already! And, also make sure that subcontractors don’t use unencrypted USB devices when handling your data.
2. BYOD is Here to Stay; Stop Pretending Otherwise. Employees are coming to work with their own smart phones, laptops, tablets, and other devices. There is no point pretending that employees don’t have proprietary rights and privacy rights in these devices with heavy-handed and unworkable policies on their use. But turning a blind eye to the fact these devices may introduce security risks and can be used as unencrypted USB keys is also not an option. It is time to develop a workable policy. Be clear with employees regarding appropriate use. Audit compliance. If your organization is of sufficient size, it may be a wise investment to employ a “show me – don’t just tell me” policy. Invest in a video showing proper use of these devices and, perhaps more importantly, the cost and consequences of improper use. If it is a condition of BYOD that the organization be able to wipe the whole device remotely, consider illustrating what that is going to mean so that employees understand that they may lose data that they consider to be theirs and that is not backed-up.
5. Really, Why is “That” Confidential? Yes, yes, everything about the organization’s business is confidential. Except that half of it is on the corporate website or in public filings and everyone in the organization with a user ID has access to the other half of it. Okay, I’m being deliberately provocative. However, this one also falls in the category of “saying it doesn’t make it so”. If information is confidential, then there should be many contextual clues so that employees are re-sensitized to the need to protect the information. Limiting access, requiring higher levels of clearance and training, using watermarks to establish the custodian of the information, having properly labelled and locked shredding containers, all contribute to better information security practices by providing employees with contextual reminders of the importance of information security and confidentiality.