The world’s gone to cloud, and that includes all your data. You have unprecedented access to so much information from almost everywhere you go, all because it’s all living somewhere in the technological “cloud.” Think about it:
Every time you post something on social media, it’s posting to the cloud.
Every time you access your financial accounts online, you’re accessing it in the cloud.
Every time you use a piece of web-based software during your day (whether for business or personal use), your using it in the cloud.
These are just a few pieces of your personal data that are floating around in this mass of 1’s and 0’s, ready to be found and used. It’s kind of scary to think about the kind of data that’s out there – whether we willingly put it there or not.
That’s why the companies that keep this data – software that we use every day – must take incredible measures that change almost constantly to ensure that it’s kept private and out of the hands of those who intend to use it nefariously.
As a company that keeps employee data in our systems for our customers, Journyx knows all too well what we must do to lock down that data (and you’ll want to keep these in mind as you evaluate any kind of software vendors for your company):
1. Complying with Worldwide Privacy Regulations
The European union has created the General Data Protection Regulation (GDPR). This regulation is based on the attitude that data about you should be your property, not the property of Google, Facebook, the NSA, or whoever one could allege is “spying” on us. This law provides a variety of suggestions about how to protect data and requires software companies to prove they’re complying. Sometimes the proof is more work than the actual protection, but that is the nature of all regulations.
2. Breach Notifications
Here in the United States, almost every state has a different regulation regarding how to notify individuals when personal data are leaked or stolen. It would be helpful if our 50 United States were more ‘united’ on this issue, and gave us just one regulation to deal with; but the basic idea in all these cases is to let people know quickly that their data is “in the wild” and exactly what data got away.
Most of these regulations tend to encourage firms to have checklists, so nothing is forgotten during emergencies or routine procedures, and to document what the procedures are and when and how you are doing them, with system generated (not handwritten or spreadsheet-based) reports to prove they’re being done. This has the effect of making your data security procedures more like a machine and less like an art. Which is generally a good thing.
A company that is serious about privacy and security will have a security team. This is where the work of protecting the firm from data loss goes on. With respect to data loss prevention, the purpose of this organization is to collect, monitor, and respond to all threat vectors that can result in data loss or other security hazards. The security team works on identity and access management, activity monitoring, threat detection, security event management and other operations, in a checklist-oriented, automated-where-possible manner.
3. Protecting the Chewy Center by Implementing Internal Firewalls
The way that Target was hacked and 100 million credit cards were stolen was through a 3rd party vendor – which was bad on many different levels. What happened after that, however, was Target’s internal issue. They didn’t have internal firewalls between different sections of the digital landscape of the company, which allowed hackers who entered through the automated global air-conditioning software to get into the cash register software and rob 100 million people. This is called the crunchy outside/chewy center problem – which means that firewalls on the outside, once breached, let you get in and steal anything you want.
So, responsible software companies create internal barriers to make this problem less likely. Anyone can get hacked. The NSA, the Federal Reserve Bank, the IRS, JP Morgan, and most Fortune 500 companies have been hacked in some significant way. Since anyone can get hacked, it is important to try to limit the damage once it happens. Hence the importance of an internal firewall.
4. Having Business Continuity Plans
Earthquakes, wildfires, tornadoes, floods. Wherever your firm is located there is almost certainly some kind of natural disaster that can cause you problems. Software companies must create plans for maintaining operations around sales, marketing, accounting, IT, cloud services, consulting and more that will survive such black swan events, and are often audited to ensure these plans are in place and being adhered to.
4.5 Maintaining a Vigilant, Risk-Averse Attitude and Company Culture
Software companies that truly care about your privacy and your data have systems, attitudes, and cultures that pervade the whole firm. Anyone you talk to in the company can tell you something about those procedures and attitudes, from sales to support to accounting, and that culture will show through. If any one person in the company sounds cavalier about these issues, then the culture is broken and that has very little chance of surviving even a weak hack attempt.
There’s a 99% chance that your company will use some sort of cloud-based software that houses sensitive information, so you can use this post as a guideline for evaluating their data security standards. In the meantime, stay safe out there!