By Brian McGinley,

We have moved from being a computer-assisted society to one that is computer-dependent. Controlling that dependence is critical to maintaining a secure operation. Admittedly, that requires assistance from technical experts. But good control begins with a company’s employees, an area you can’t afford to ignore, and which I covered in an earlier post.

Once you’ve put in place the properly trained people and policies by following Steps 1 to 14, you can turn your attention to these tech-focused measures:

15.    PC and Laptop Security

If your computers are secure, your data is secure. A no-brainer, right? Yet countless companies don’t have in place the most basic computer and laptop security measures. These include, but are not limited to:

  • • Lock PCs when they’re idle, through screen savers or antivirus utilities
  • • Enable firewalls with strict permissions
  • • Block user downloads and installations
  • • Limit social networking and file-sharing
  • • Install phishing filters and remote laptop security cleaners

16.    Mobile Devices, Smartphones and Media

Laptops used to be the Holy Grail for data thieves and corporate spies. Now the quarries are smaller, lighter, and easier to pocket: smartphones, flash drives, and external hard drives. These types of devices and media need the same level of protection as any company laptop or mobile workstation.

17.    Email Security

Spear phishing, which targets data networks through email channels, has opened backdoors for some of the largest hacker attacks this year. It’s imperative to have protections in place such as:

  • • Encrypted/TLS or Secure File Transfer Protocol (SFTP)
  • • A ban on free email accounts at work such as Gmail and Hotmail
  • • A ban on linked attachments, from services like YouSendIt and Dropbox
  • • Scanner technology for all attachments that move through your mail servers

18.    Use Antivirus and Antimalware Software

This step should need no explanation. Just do it.

19.    Social Networking

If your company does not use social networking as a business tool, consider banning it from the workplace. The move is extreme, perhaps, but it could be worth the time saved—both in employee productivity and security resources. Social apps can introduce viruses behind a firewall, and they’ve become the new playground for hackers and con artists.

20.    Network Security

Your IT network represents the “Keys to the Kingdom” and its security is critical to your ongoing operations. It needs to be appropriately resourced, set up, serviced, and protected by competent technical subject matter experts. This is an asset that needs your continued attention with appropriate care and feeding, as they say. The network is holy. It should be treated–and protected–as such.

21.    Third-Party Service Providers

As we learned in Step 9, you’re only as strong as the weakest link. It is imperative to be as rigorous with a third-party service provider’s data protection practices as your own. To assume the liability is off your business because a vendor has been hired is simply deadly. Without equivalency protection across all your partnerships, these steps are all for naught.


Brian McGinley, Senior Vice President of Data Risk Management,
With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.

Leave a Reply