For Social Networks:
1) Put in place a social media policy-and then make sure it's enforced-This policy should detail acceptable uses and explain the consequences of violating or failing to follow the corporate code of conduct around client confidentiality and intellectual property.
2) Explain social media threats and how to prevent them-Create a training or education programme that explains the real day-to-day threats found on social networking sites. For example, offer examples of how to identify phishing and why you shouldn't click on a friend's link just because they think you should. Employees should understand how they might unknowingly download a virus onto a corporate PC or mobile device and how rapidly it can spread throughout the enterprise network.
3) Make sure users are aware of basic principles of privacy and password creation-Pick a strong, unique password and keep it secret; check privacy settings regularly and carefully choose a configuration; be wary of downloading applications; and only friend people you know.
In your experience working with customers in ASEAN, is/there any area of data security that they should pay attention to but somehow fail to address?
Many customers we have worked with in ASEAN lack the necessary knowhow and expertise in handling security risks associated with mobile devices.
Organisations regardless of their size must grapple with the reality of the mobile device usage at the workplace. They need to have a security strategy in place to address the potential risks created by these devices.
Here are some useful tips for organisations: -
- Develop an enterprise strategy for mobile security-The solution is not to limit the use of mobile devices but to accept the fact that mobile devices are now a way of life. To create an enterprise strategy, it is recommended to conduct an audit to determine where laptops and other mobile devices are used within the organization. As reducing the number of devices based on which employees really need them to work effectively is unrealistic in most organisations, an audit helps to understand the level of risk and enabling technologies that limit access to or transfer of sensitive and confidential information.It is also advisable to classify the sensitive data employees have on these devices. Data can be classified as follows: regulated data (such as credit cards, health data, and driver's license number), non-regulated customer data (such as purchase history, email address list, shipping information), non-regulated confidential business data (such as IP, business plans and financial records) and employee data.Based on this classification, make sure appropriate safeguards are in place and that employees understand they are also accountable for the data's security. Conduct a risk assessment to determine possible theft scenarios for the data stored, processed, or transmitted by these devices. Devise appropriate security measures to protect both the data and the mobile device. Finally, create a lost mobile device response team to monitor laptops, smartphones and other mobile devices.
- Create a comprehensive policy for all employees and contractors who use mobile devices in the workplace-The policy should address the risks associated with each device and the security procedures that should be followed. Guidelines can range from such topics as to what types of data should not be stored on these devices, how to determine if an application can be safely downloaded and how to report a lost or stolen device. In addition, establish rigorous monitoring practices and implement enabling technologies to ensure policies and guidelines are strictly enforced.
- Establish organisational accountability-Organisations have a responsibility to provide their employees with the policies, procedures and technologies necessary to the security of mobile devices used in the workplace. In turn, employees must be aware of their need to be accountable and aware of the importance of using their mobile devices responsibly. As a starting point to creating employee awareness, organisations need to have a clear and concise policy that defines the employee's responsibility and accountability. Understand that it is almost impossible to keep employees from using mobile devices for both personal and business purposes. Therefore, create guidelines for the responsible use of these devices when used for non-business purposes.
- Launch awareness training for end users-Beyond policies and monitoring of employee behaviors, organisations should implement a training programme to help employees understand the new and emerging security threats present when they use their mobile device. Training programmes should emphasise the need to be careful when transmitting confidential information. This is especially important because employees are increasingly using business mobile devices for personal use as well.
Sign up for CIO Asia eNewsletters.