Information security is about ensuring your information is properly protected and that your information systems function efficiently. The information security triad is built upon three principles: confidentiality, integrity and availability. Availability means ensuring data is ready for use by those who need it, which incorporates its recording and sharing. Data inevitably needs to be recorded for future reference and for processing. Often it will also need to be shared, frequently within your organisation, but also outside of your organisation, or even outside of the country. It is your responsibility to ensure that information is properly secured during these processes.
Information can either be created or downloaded online. The process by which you record information must be tightly regulated and safeguarded in order to protect it. When recording information, it is good practice to know where the master version and subsequent copies will be stored and who they will be passed on to.
Employees should not use unsupported or unauthorised software on work machines as it puts the security of your IT systems at risk of infection. Use of untested software may ultimately stop your systems from working. Unofficial downloads may be accompanied by malware, consequently compromising your systems. It is important to stress that downloading and using unlicensed software is illegal. There is no justification for doing so and you may find yourself and your organisation the subjects of legal prosecution. Many organisations require admin-authorisation in order to download software onto work machines.
Any information that employees record on paper should be disposed of properly and confidentially once it is no longer required. Any sensitive and confidential information should be shredded in order to prevent unauthorised access and uphold individuals’ data rights. Similarly, paper copies should not be left lying around on desks or in copiers, instead they should be filed securely and appropriately or properly disposed of.
If information is only needed temporarily, it can be recorded on display materials, such as whiteboards. But you must ensure that no private or confidential information is recorded as it can be readily accessed by unauthorised eyes. Information should be removed from displays immediately when no longer required.
Sometimes employees will be required to record information that has been discussed in conversation. This should be done as soon as possible, while it is still fresh in your memory in order to be as accurate as possible. It is important to use a private meeting room when discussing sensitive and confidential information to ensure you are not overheard. It should not be discussed with anyone who is not entitled to have access to the information for professional reasons.
Data may be shared with a variety of individuals, but most fall into one of the following categories: employees, customers, and the public. Data processors are organisations that process data on behalf of a data controller (the organisation that owns the data). When outsourcing data-processing to a third party, it is important to remember that the ultimate responsibility for the information remains with you, the data controller.
A commonly used means of sharing electronic information is via email. However, this comes with its own set of risks. Hackers may intercept emails sent over the internet. Emailing information also makes it very easy to attach the wrong set of recipients, therefore allowing unauthorised individuals access to the information within your email. In August 2015, the holiday firm and household name, Thompson, mistakenly sent the details of nearly 500 customers to the wrong mailing list. Details included name, address, contact details, flight number and holiday dates. This data breach resulted in many holiday makers cancelling their holidays for fear of being burgled. Phishing emails, a method of social engineering, are another noteworthy threat. Social engineering is where criminals trick people into giving away useful information. In phishing scams, criminals pose as genuine individuals/businesses and mislead you into disclosing important information. Solid information security training allows your staff to remain vigilant to social engineering scams. Emails may also contain malware, such as viruses, that infect your system if opened, rendering your whole IT system vulnerable to attack.
When sending private and confidential information over email you should ensure your email is encrypted. This means that without the key to decrypt it, the recipient will receive a nonsense document. This overcomes the dilemma of sending an email to the wrong recipients. You must be sure that any emails you open are from genuine individuals, if you receive an unexpected email from an unknown address you are best not to open the email and instead report it to your manager or to IT support. This is to avoid falling for social engineering scams and to prevent malware from entering your systems.
Whilst many aspects of business have become governed by technology, a substantial proportion of correspondence still occurs via post. Whilst it may sound obvious, before sending information by post, it is crucial to double check the address. Frequently, pages are picked up together from the printer and recipients acquire the first page of whatever has been printed next. If this information is confidential you could find yourself suffering disciplinary action for a data breach. Therefore, you must ensure you include only the information you intend to. When sending information that is particularly sensitive it is advisable to explore protected ways in which it can be sent. For example, you might consider sending it recorded or special delivery or even with a courier.
Why is it Important to Implement Good Practices for Recording and Sharing Information?
Effective information security allows you to optimise your data and feel confident that your security risks are under control. It protects not only your own interests, but also those of your customers and all other individuals/organisations that you hold information about. This protection allows customers and partners to have trust in you and safeguards your reputation. As well as vitally upholding your reputation, information security ensures that you meet your legal and regulatory responsibilities. Poor information security, on the other hand, may result in data losses, confidentiality breaches, legal action, hefty fines and putting the affected individuals at risk.