- Information should be classified. This can be done in one of two ways: either manually, by the author; or dynamically, according to content and context aware policies established by the company. Advanced information protection security solutions allow information to be classified as it is created (in the case of documents, spreadsheets, presentations, etc.) or as it is sent (in the case of messages and emails);
- Information should be protected. Quite simply, the best way to protect information is to have it encrypted. There are many different “flavors” of encryption, and people employ encryption at different parts of the equation (on the drive, in transit on the network, etc.). Experts today, however, are agreeing that instead of trying to encrypt the physical media where the information might be stored (the drive, the network, etc.) if you simply encrypt the information itself then it’s protected regardless of where it is. If it’s on a laptop drive, it’s encrypted. If it’s in transit across the network, it’s encrypted. If it’s in a cloud based drive, it’s encrypted. If it’s on a USB key hanging around someone’s neck, it’s encrypted. What that means is that this information is persistently secure… regardless of whether it in inside or outside of network boundaries;
- Information should be accessed based the user’s “need-to-know”. Users should be assigned appropriate security clearances and access to data should be granted based on the user need-to-know according to his job description and the classification of the data itself. Hence, enterprises should enforce separation of duties and privilege, thus not allowing access to sensitive information that the employee has no reason to view, obtain or download.
In a nutshell, information breaches can (and probably have) happened to every enterprise. Those organizations that are knowledgeable of the risks and are well prepared for such eventualities will thrive in reducing and/or preventing threats.