As we said before, this is the information age and data is the life blood of the company and the supply chain that powers it. The financial chain is powered by data. Encrypted bits over secure channels control the flow of currency. The physical flow of goods is dictated by data. The people controlling the goods and finances communicate through data packets. And losing any of this data is a serious damnation. Not just because data is lost but because, as per our technological damnation post on data loss,
- lost intellectual property data is a loss of competitive advantage,
- intrusions that result in lost or stolen data are hard to trace, and
- even if the intrusions are traced, loss is hard to recover.
Moreover, even if an organization wants to prevent data loss, it requires
- very powerful, expensive, digital vaults and
- loads of security training, awareness, review, and enforcement.
So what can an organization do?
First of all, figure out what data is needed, and, of that data, what data needs to be protected. Not all data is critical, and not all is even needed, and the amount of data that needs to be encrypted is typically much less than the entire kit & caboodle. While many organizations do not protect enough data, especially considering the amount of data that should be protected under privacy laws, those that take data protection seriously protect too much. They take a military approach and everything is protected until reviewed and released.
The only data elements that should be protected are
- personal data
- (raw) financial data (even if the company is public)
- true trade secrets (proprietary designs, upcoming marketing plans, etc.)
Bids for commodities or lanes are not trade secret, or all that private. Most carriers give the same bids out over and over again, and some even on public platforms like FreightOS. Purchases might seem trade secret, but the reality is that if the components are imported, the import data is public. Sales can be figured out from public records too. Sales and marketing plans become public the minute they are implemented. Designs become public the minute they are patented. Even though encryption can theoretically be applied to all data, the reality is that once data leaves the secure server, there’s no way to keep it secure. So what do you do?
1. Identify the subset of data that truly has to be secure.
All employee and personal data. Raw financials. Designs under creation. But not public bids, designs that have been patented, or processed financials for public release.
2. Identify the systems necessary to process that data.
And find web-based systems that allow for all parties that need access to the data to access it through the system over the ‘Net. Make sure the data never has to leave the system for the parties that need it to do their jobs and then make sure that only senior administrators or officers of the company can actually export that data. Make sure the systems support distributed real-time failover to backup instances so that they are always available.
3. Make sure all access to data that needs to be secure is logged.
There should be complete audit trails, replicated to external back-ups accessible only by bonded administrators and senior directors of the company.
4. Make sure all of the data is backed up externally using the highest level of encryption available.
It’s not just the audit logs that need to be stored off site, it is the critical data as well. While one site might be taken offline, and even compromised, the chances of multiple geographically remote sites being taken offline or destroyed simultaneously are slim to none.
5. Make sure all exported data is watermarked.
Using embedded and hidden watermark algorithms. It’s easy to embed watermarks in most document formats, and while it’s also possible for hackers to remove them from non-image files, it’s not easy and if no one knows the watermark is there …
While even the strongest encryption can be theoretically hacked, and any exports stolen, if the right infrastructure is set up, the risk of data theft is small and the risk of complete data loss almost zero. But one has to carefully plan and set up the right infrastructure, or just like a middle aged man, the organization may find it’s hair today, gone tomorrow.