Mitigating the effects of IT issues can be a great article for someone who underwent the heartbreak of losing data, whether due to an internal incident or an external threat. However, providing tips for that may be a “late” display of concern, as there is already a victim, the incident (or accident) already happened. The damage has been done, and its long term effects will be felt by the organization for weeks, months if not years to come, especially if their brand is severely harmed. It takes a lot of effort, funds and powerful PR campaign to reverse the negative perception of the public towards a firm that was victimized by black hat hackers.
Usual risks comes internally, within the organization itself. These are some pitfalls:
The risk increases when carrying laptop computers, USB memory, etc. with stored personal information. It is very easy to lose these items, and without encryption the problem will be expanded due to 3rd parties getting access to confidential information. Of course, theft can also happen internally especially for removable media.
Reform of information export rules
There should be many companies that prohibit taking out personal information outside in order to prevent problems due to loss or theft. However, if an employee who thought “it would be fine if only a little” brought out personal information without permission, and carelessness is overlapped thereafter, it will eventually lead to unexpected security problems. If the rules are formalized in-house, taking out will be carried out on a daily basis, increasing the risk.
Lost and misplaced
This is a problem that can occur when taking out media such as a laptop or USB memory where personal information is stored outside. You can prevent problems such as loss or misplacement by prohibiting the removal of personal computers and recording media containing personal information, but even if you set out the prohibition rules it is often not strictly observed. You also need to think about how to reduce the risk if you have to bring it out for business reasons.
Accidental data deletion
It is a case that important information such as personal information is accidentally deleted. There are problems such as discarding paper media material including personal information along with other materials and deleting data not backed up by mistake. Also, it seems that a third party may be accidentally deleted by mistake because you did not give access to the shared server on the company network.
Misconfigured Email server or Web Server
Incorrect settings on the server or website makes it possible for a third party who can not view the information to be able to view personal information in a state where personal information can be read, or an email including an error in sending an email containing personal information to other parties It is trouble such as being done. If you forgot to attach the file, or if you send it with the contents in the middle of writing, it will still be done “inadvertently”, but you may accidentally attach an important file containing personal information, Cc and Bcc It is a reality that fatal mistakes such as making a mistake are also complete.
Internal crime / internal fraud
This is the case where insiders who handle personal information leak information with malicious intent.
IT policies are relatively unknown
In the case of human errors that occur because people in the field do not know the rules, it is necessary to educate them to disseminate the rules. If you do not know the existence of the rules, you can not of course be protected.
First of all, it is necessary to clarify in what circumstances what should or should not be done, and to make all relevant parties aware of the rules. In addition, it is also important to check regularly whether the employee is following it so that the rules do not become extinct.
Confusing IT policies
However, no matter how well informed, it is impossible to completely prevent mistakes. If you know the rules and you are willing to keep them, but you can not do the work according to the rules, there may be a problem with the environment. For example, in an environment where the amount of work is excessive and it is necessary to take work home at home, or work must be carried out in a short time, “Don’t take out data including personal information outside” “sending mail Even if there is a rule to “confirm before”, isn’t it difficult to keep it? In such a case, it will be required to reconsider whether it is an environment where business can proceed according to the rules.
Even though we know the existence of the rules and there is an environment in which we can protect them, we will not have to keep them separately. “This rule is meaningless.” There are cases where the rules cannot be observed because of the misunderstanding and low awareness of the site personnel, such as “the degree of rule violation is all right”. In such a case, we require security training after joining the company, or provide training to employees who have joined the company after a certain period, and why not that rule is necessary or not. We need to educate them about possible problems and motivate them to keep the rules.