As you work to protect your data in this day-and-age of data breaches and regulatory compliance, technology and software solutions to data and database security spring to the top of most people's minds. This is to be expected because, after all, most of our data is stored on computers so technology and software are required to protect the data from unauthorized access. This is a good thing: Technology is a crucial component of protecting your valuable business data. But it is not the only thing.
Usually I write about technology but the non-technology side of protecting data is equally important, if not more so. Planning, building, and enforcing a non-technology security policy is, of course, a colossal undertaking. What I want to do here is just to reinforce some of the non-technology things that technical folks like us still need to be aware of in order to protect our data.
First up, buy an industrial paper shredder and make sure your staff uses it. If you don't shred, you will expose yourself to a breach by dumpster divers. Business users should be shredding reports with sensitive data instead of just pitching them in the trash. And technical people may need to be doing the same. Even test data, if it was drawn from a production source (and not masked) can be sensitive, and programmers should not just be tossing their test results into the trash where anyone can come along and pluck out juicy morsels of data.
Next up, be aware of your environment. This is mostly for the travelers out there (and I am one of them). We fire up our laptops literally everywhere. When you do so at an airport (for example), are you aware of the people around you and whether they can see what is on your screen? A lot of sensitive data can be lost simply when the wrong person looks over the right person's shoulder. So huddle up in the corner, consider buying an anti-glare screen or something that makes it more difficult to read your screen, and never get so engrossed in what you are doing on that laptop that you ignore your immediate surroundings. If someone is staring at you, just close the screen and go work somewhere more private. (I know, that can be hard to do when you are on an airplane, but ...)
Be careful in how you dress. Okay, you might be thinking, what the heck is he getting at here? Well, a lot of us in the business world have shirts with our company logo on them. And we wear them proudly, as we should. But if you are wearing that shirt and using your PC, that person surreptitiously viewing your data can more easily place it in context if they know where you work. A lot of us even have those little property ID tags on our laptops. They were put there with the best of intentions - - that is, if you lose your laptop, it can more readily find its way home. But they also work like logo shirts - they make it easier for the nefarious folks out there to put the data they peak at on your laptop into context. So cover up that tag when you are working on your laptop. And if you work for your company's security department, make sure those tags are put on the bottom of the laptop (where they can't be seen when the machine is in use) instead of on the top that flips up for all to see.
Of course, in the worst case scenario, if a hacker finds your stolen laptop, the tag tells them exactly where the laptop came from and they will adjust their interest level accordingly. I suppose if you were really worried you could just have an anonymous postal box listed for the return of lost equipment and not put your company name on the ID tag at all.
And what about your security badges? Those ones you need to get into and out of your building? Do you wear them out to lunch? Someone intent on gaining access to the building to steal your data will be able to see what they look like ... and possibly make a cheap (or expensive) lookalike and then tailgate his way into your building. Company policy should state that you do not wear your access badge outside of the company at all - not over lunch, not out to the parking lot for a smoke, not on the way home. And, if possible, the badge should be completely blank with no company or personal identification (except maybe a photo) so that a lost badge would not help anyone who did not know where the employee worked.
Well, that is enough grousing about non-technology security stuff. Of course, there is a lot more that could be said, but I don't want to veer too far away from talking about technology and data here.