Printed from BusinessInsurance.com

How companies can protect data and other information

Posted On: May. 20, 2007 12:00 AM CST

How companies can protect data and other information

When it comes to securing corporate laptops, BlackBerries and personal digital assistants, the weakest link can be the person using the electronic device, and the best line of defense against theft and hacking is strong company policy, experts say.

"One of the most important things is policy," said Sean McDermott, a New York-based manager of computer forensics with Aon Consulting. "The easiest and least expensive way to secure these devices is to have a written policy. If people know there can be a problem with security, they will try to avoid the problem."

Companies can control risks by regulating where and when an employee is allowed to use a device or apply automatic shut-off functions when an unauthorized person tries to gain access, experts say. Companies also can password-protect certain databases to track when information has been accessed and who has accessed it.

Awareness, however, is a top issue to address, say information technology risk management experts, who note that information security know-how is often lacking among employees who work on such devices outside the office.

"You really have to aim to change behaviors," said Paul Stamp, a principal analyst at Boston-based Forrester Research, a Cambridge, Mass.-based technology research firm. "Sometimes when you are dealing with sensitive information, you should know you shouldn't be doing that on a public network."

An effective and comprehensive IT security training program for employees is key, said Emily Q. Freeman, London-based executive director for Lockton Cos. Inc.'s technology risks professions division.

"You have to provide information for employees on where these devices can be used and where they can be stored," she said. "There has to be a line between permissive use and prohibitive use."

Peter Davis, principal at Peter Davis & Associates, a Toronto-based information security consulting firm, said companies can eliminate some of their risk by forbidding employees to conduct business on public wireless fidelity, or WiFi, networks.

Companies can ensure their employees work only on hacker-protected networks by providing them access to a so-called virtual private network, he said. The cost for setting up such a network can run from $200 up to hundreds of thousands of dollars, depending on the size of the company, he said.

Larger companies often need to hire full-time IT personnel to man a VPN, hence the inflated cost, Mr. Davis said.