Every business collects and stores information on their customers. It is the responsibility of each business to protect this information from being released into the wild and accessed by those not authorised to access it.

Some examples:

• Business names, ABN, contact details, key people and authorised contacts
• Bank details for direct debit, credit card information for automatic payments
• Username/passwords for logins to web sales or customer portals
• Medical history or financial details
• Blueprints, plans, or even security codes to customer premises
• Name and address details of protected persons

A breach of even the most basic information needs to be reported and your customers advised so that they can take precautions to protect themselves. Many people use the same password in many places and that could put them at risk. Personal information such as date of birth and address details can be enough for identity theft.

Also, the businesses commercial information that has been generated over many years needs to be protected too.

• Price books
• Internal and external forms and terms and conditions
• Standard processes, practices and guides
• Designs and prototypes
• Customer lists and existing contract information
• Secret herbs and spices

These should be safeguarded to avoid intellectual property theft that could erode your competitive advantage.

Therefore it is important to take measures to protect this information as best you can, weighing up the risk and value of this information.

What can you do about it?

1. Make yourself aware of the information that you hold and consider the protections you can place on it to protect it from physical or digital access
2. Be aware of what to do in the event of a breach, and what your legal requirements are: https://www.oaic.gov.au/privacy/data-breaches/
3. Label and classify your data if possible to protect the most important information that poses the greatest risk to you and your customers, and proactively implement Data Loss Prevention with different technology suites depending on what is available and where your data is stored.

You may already have some of the technology available in your current environment that just needs some configuration to get it working. It is also something that needs consideration as to how much to spend to protect yourself to make sure you don’t spend more on the prevention than what an actual loss impact might be. You may find you simply need to change what information you collect to reduce the risk, are you collecting information that you don’t really need, but which puts you and your clients at great risk.

Some low hanging fruit:

• Turning off some remote desktop settings
• Blocking the use of USB drives
• Block external sharing on SharePoint
• Enable file system auditing to detect and alert on mass file copies.

Some technologies that are around that can help:

Microsoft Office 365 data loss prevention: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide

Fortigate Data Leak Prevention: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46641

Sophos DLP: https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosdlpdsna.pdf

Mimecast DLP: https://www.mimecast.com/content/data-leak-prevention/

Trend Micro DLP: https://www.trendmicro.com/en_au/business/products/user-protection/sps/endpoint/integrated-data-loss-prevention.html

An interesting extra benefit many of these tools allow is putting keywords or blocked words into the policy to block bad language before it leaves the organisation.

Reach out MIACOR IT to discuss any concerns you have, as the first step is to have a conversation about what information you have.