A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses a specific type of data security breach that is, unfortunately, familiar to almost every organization – losing a laptop or mobile devices.
One of the earliest ways in which data was lost – and still one of the most common – is when a mobile device like a laptop, USB thumb drive, or smart phone goes missing. As companies increasingly embrace flexible work schedules and let employees determine when and where they will do their jobs, the data security risk if one of these devices is lost or stolen should be carefully examined. To address these risks, some companies have adopted policies that bar the use of a USB thumb drive or, at a minimum, require that the USB thumb drive be encrypted and password protected.
With respect to laptops, companies should ensure that they are password protected, the passwords are frequently rotated, and, if possible, that access to the company’s virtual site be subject to multi-factor authentication (e.g., a physical token with a constantly rotating numerical password or a second log-in requesting information that only an authorized user would know, etc.).
Some companies have decided to require employees to provide their own portable devices, commonly known as “bring your own device” policies. While such policies can result in significant cost savings for the company, from a security perspective, there are concerns. Companies should ensure that any personal devices used for work-related purposes contain either full-disk encryption or the ability to remote wipe the device.
TIP: Employees should be trained on good data security practices when connecting to public Wi-Fi networks. Using a virtual private network (VPN), which allows you to access the internet using a private network while on public Wi-Fi, can significantly decrease the risk that your data may be compromised.