Information is one of the most important assets that a company has. Without it, it is impossible to work because if you cannot contact your suppliers, you cannot access your client portfolio, or your website is not accessible, you may have a severe problem.
It is essential to keep information safe and prevent anyone who should not access, modify or even destroy it. Another fundamental aspect is to have the information well catalogued so that it is easy to find it and filter who can have access to it.
Like everything, information also has a life cycle, and regardless of the medium, it is on, sooner or later, it will have to be eliminated. For this reason, it is essential to know how to destroy the information when it has already fulfilled its function or is at the end of its life cycle.
Table of Contents
Considerations for protecting information
Remember always to have these considerations when managing your company information.
Information access control
Guarantee that only authorized persons can access information, applying the principle of least privilege and establishing who can access each type of information.
Catalogue the information
It is essential to keep the information well catalogued according to its criticality so that it is easy to identify what character it is and apply the necessary measures. For example, it can be catalogued into three levels:
- Confidential information, only accessible to authorized persons. They can be the case of information on projects, payroll, etc.
- Information for internal use, accessible to all members of the company. This can be the employee email directory, phone book, schedules, general operating procedures, etc.
- Public information, accessible to everyone. This may be the one that is intended to be displayed on the company’s web portal.
Protecting confidential information using encryption tools prevents an unauthorized person from reading the report. When transmitting data, it must also be applied to avoid possible leaks during transmission or victims of a man-in-the-middle attack.
In the case of using laptops, mobile phones or external storage media, more should be considered if possible; since in case of loss or theft, if the information is encrypted, it will not be accessible by a third party.
To avoid any information loss, it is essential to have a backup policy. These should be done periodically and stored in a safe place. Thus, in a cybersecurity incident, such as a ransomware attack, the backups would be secure and could be restored.
Destruction of information
Information that is not useful for the company must be appropriately destroyed. What is not helpful for our company could be a rival company or involve an information leak.
Awareness is essential to maintain information security. It is necessary that all organisation members are alert and trained to manage information, identify threats and know how to react in the event of a security incident.
These measures must be reviewed and updated to ensure that the information and the company are always protected.