9 Don’t Forget the Real World

The person stealing your hardware is probably not as interested in your information so much as the value of the computer itself.  That doesn’t help if you suddenly have no server or desktop computer.  The concerns of an IT person – “oh good, the law firm has a backup” – are different from the lawyer: “oh good, we have a backup, but I’ve still just lost a copy of all of my confidential information”.

Servers should be in locked rooms and kept cool.  Don’t place it under a water source that could soak it, and place it high enough that a flood won’t destroy it.  But keep the door locked and limit access to those who really need to touch the machine.  Nearly all technology that contains client confidential data – computers, phones, servers, disks – is portable.  One benefit to putting your data in the cloud is that someone else is taking care of this physical security.

Another easy step to take is to lock your computer screen when you’re not sitting in front of it.  A computer screen in a first floor office may be visible to passersby if there is a walkway near the windows.  It may be possible for the inquisitive to discern what the papers on your desk or the information on your computer screen say.  Hold down your Windows key and hit L to lock your screen in Windows before you walk down the hall to talk to someone.

Prepare for Loss

Losing a device – server, laptop, smartphone – needn’t be the end of the world.  But you need to have taken steps prior to the loss to limit the damage.  If you have encrypted your data and the device is turned off, you are already in good shape.  Most smartphones now can use free or inexpensive apps for remote locating and remote wiping.  This can allow you to identify where the device is, if it is connected to a network.  It can also allow you to remotely delete everything on your device.  If you are going to use this sort of software, install it before putting confidential information on your device.

Watch for the unexpected

There is a small industry of penetration testers who are hired by companies to test their security processes.  These penetration testers have devised a number of devices that are easily available and provide good examples of how vigilant – perhaps paranoid! – we need to be to identify potential threats to client information.  You should keep an eye out for things that look out of place, like a power strip that you didn’t buy or ask for.

This is harder but you should also try to monitor the traffic in and out of your office and home networks.  If someone has found a way to access your client information remotely, they may be uploading it to their own server.  At the very least, watch what your bandwidth usage is and look for months where it is higher than expected.  Unfortunately, that may be too late, but it is better to know too late than to never know at all.