Five Best Practices to Secure End-User Data

Print
Check out this page on Dell.com! Email
Rate
1 out of 5
2 out of 5
3 out of 5
4 out of 5
5 out of 5

By: Keith Ferrell (10/15/2010)

Reading the title of this post, one question comes immediately to mind: Only five? Even the top five best practices will barely scratch the surface in terms of the steps you should take to secure the business data stored on each end-user PC, laptop, and digital device. But given limited space and time, here are the five issues I’ve encountered most frequently and consider most important for an enterprise IT organization. Know which end-users are using what types of data — and why. Of all the steps you can take to protect data at the end-user level, restricting data access to those who have a proven business need may be the most effective. Unless your enterprise already has a rigorous Data Loss Prevention (DLP) program, with all of the audits, inventories and cataloging/categorizing that involves, there's a good chance that at least some of your data resides in places where it shouldn't, including on end-user PCs and other devices. Put together a close, careful, and exhaustive look at your company's data resources, review how those resources are used, and above all determine exactly who is using the data. Once you have accomplished this, you can move on to the next step. Create and enforce practical policies. It’s self-evident that digital technologies and tools have been the major business game-changers of our time. Less obvious but still evident is that most end-users know enough about these technologies to get themselves, and their employers, into deep trouble. You need to make the point, frequently and forcefully, that no matter how much the PC on the employee’s desk (or the laptop in the briefcase) looks and works like the one they have at home, these are pieces of business equipment and must be used as such. Making that point requires a clear and thorough employee usage policy, which may be the most important security document your company ever produces. Unfortunately, it may also be the most ignored and the most actively violated corporate policy. That’s why your written technology usage policy needs to include clearly spelled out — and fairly enforced — penalties for violations, up to and including termination (or even prosecution for the most egregious offenses). You should also require every employee to sign a copy of the policy for your records. Employees should review the policy with a manager on at least a yearly basis, and it’s not a bad idea to have them re-sign and date the policy each time it's reviewed. Keep control of workplace connectivity. The power and sophistication of smartphones, music players, and other consumer devices are only going to increase. Consider prohibiting the connection of any personal device to any enterprise device. This prohibition should extend all the way to battery charging. Know what equipment is on your network, monitor it, and prohibit employees from connecting, even briefly and with the best of intentions, any outside device to your equipment. (You can soften the blow — which some employees will resent or resist — by creating a “Technology Suggestion Box” for employees to request the addition of specific devices or apps to the approved list.) Run only approved Web browsers. The number of companies and organizations still running the vulnerability-ridden Internet Explorer 6 is only one example of the risk browsers present in the workplace. Decide which browser(s) your employees will be allowed to use on company equipment, insist that all browsers be fully patched and up-to-date, and prohibit or restrict the downloading of add-ons and gadgets, no matter how appealing the employees find them. Working from home must be as secure as working in the office. If employees sometimes take their work home or work remotely using their own equipment, you should insist that they follow the same security rules and policies. Before permitting an employee's home to become an end-user location, for example, review the employee’s home networking setup, secure Internet access, and other software present on the devices that will be used. Also ask who besides the employee will have access to the device, ensure that anti-malware tools are in place, and require the use of encryption tools when appropriate. Like I said at the beginning, five is an awfully small number when you think of just how many best practices should play a role in your end-user security plans. But it's a start.

Reading the title of this post, one question comes immediately to mind: Only five?

Even the top five best practices will barely scratch the surface in terms of the steps you should take to secure the business data stored on each end-user PC, laptop, and digital device. But given limited space and time, here are the five issues I’ve encountered most frequently and consider most important for an enterprise IT organization.

Know which end-users are using what types of data — and why. Of all the steps you can take to protect data at the end-user level, restricting data access to those who have a proven business need may be the most effective. Unless your enterprise already has a rigorous Data Loss Prevention (DLP) program, with all of the audits, inventories and cataloging/categorizing that involves, there's a good chance that at least some of your data resides in places where it shouldn't, including on end-user PCs and other devices.

Put together a close, careful, and exhaustive look at your company's data resources, review how those resources are used, and above all determine exactly who is using the data. Once you have accomplished this, you can move on to the next step.

Create and enforce practical policies. It’s self-evident that digital technologies and tools have been the major business game-changers of our time. Less obvious but still evident is that most end-users know enough about these technologies to get themselves, and their employers, into deep trouble.

You need to make the point, frequently and forcefully, that no matter how much the PC on the employee’s desk (or the laptop in the briefcase) looks and works like the one they have at home, these are pieces of business equipment and must be used as such.

Making that point requires a clear and thorough employee usage policy, which may be the most important security document your company ever produces. Unfortunately, it may also be the most ignored and the most actively violated corporate policy.

That’s why your written technology usage policy needs to include clearly spelled out — and fairly enforced — penalties for violations, up to and including termination (or even prosecution for the most egregious offenses). You should also require every employee to sign a copy of the policy for your records. Employees should review the policy with a manager on at least a yearly basis, and it’s not a bad idea to have them re-sign and date the policy each time it's reviewed.

Keep control of workplace connectivity. The power and sophistication of smartphones, music players, and other consumer devices are only going to increase. Consider prohibiting the connection of any personal device to any enterprise device. This prohibition should extend all the way to battery charging.

Know what equipment is on your network, monitor it, and prohibit employees from connecting, even briefly and with the best of intentions, any outside device to your equipment. (You can soften the blow — which some employees will resent or resist — by creating a “Technology Suggestion Box” for employees to request the addition of specific devices or apps to the approved list.)

Run only approved Web browsers. The number of companies and organizations still running the vulnerability-ridden Internet Explorer 6 is only one example of the risk browsers present in the workplace. Decide which browser(s) your employees will be allowed to use on company equipment, insist that all browsers be fully patched and up-to-date, and prohibit or restrict the downloading of add-ons and gadgets, no matter how appealing the employees find them.

Working from home must be as secure as working in the office. If employees sometimes take their work home or work remotely using their own equipment, you should insist that they follow the same security rules and policies. Before permitting an employee's home to become an end-user location, for example, review the employee’s home networking setup, secure Internet access, and other software present on the devices that will be used. Also ask who besides the employee will have access to the device, ensure that anti-malware tools are in place, and require the use of encryption tools when appropriate.

Like I said at the beginning, five is an awfully small number when you think of just how many best practices should play a role in your end-user security plans.

But it's a start.