Just like kitchen drawers and closets, computers accumulate clutter over time. And when you have an entire organization’s worth of people to watch and exponential amounts of data collected every day, it takes more than a day of spring cleaning to get your environment clean. Clearing out your team’s cyber clutter will not only help make the business more organized and productive, but it will also mitigate the vulnerabilities that accompany the clutter.
Here are four areas you should de-clutter to ensure your organization’s digital presence is clean:
1. Physical Devices
Physical devices can take up most of your organizational environment, from user computers to firewalls. All of these devices have proprietary information of some form on them, so it’s wise to keep them at the forefront of your decluttering.
Here’s a few tips:
- Create and enforce policies and procedures for your organization’s documents.
- Implement a document deletion policy and make sure your team is aware of it. You don’t want a user’s computer to be stolen with years’ worth of documents stored on it.
- Consider how sensitive documents are handled. These are documents that should not be accessed by the general organization, should not be stored on a local machine, and may need to be encrypted.
- If you have a cloud storage solution, enforce automatic backup for users. This enables you to have a better view of what your users are storing and what they are doing with those documents.
2. Cloud Storage
Because cloud storage doesn’t take up space in your server room, it’s easy to forget to quality control it as you do your physical storage. And while cloud storage is generally hosted by trusted service providers, we’ve seen these servers open in the wild before.
When cloud storage applications are one of the easiest ways to exfiltrate company data, it’s important to regulary clean them out and restrict access as appropriate.
- Are you currently restricting what cloud storage systems your users are able to access? This is a twofold concern as having company accounts attached to multiple cloud systems opens up avenues for attackers and data exfiltration.
- Enforce your company document policies and procedures with your cloud storage. It’s actually easier to enforce some policies within the cloud, such as least privilege permissions.
- Utilize the built-in security features that many cloud storage apps have. These can protect against data exfiltration or alert for suspicious activity.
3. Email
Email accounts are some of the largest data hubs, storing information about an account’s owner and everyone they interact with. Think of the email accounts of the members of your HR department, full of employees’ sensitive data.
When addressing the security of your company’s email accounts, consider:
- Do you have a limit on how much data a single inbox can hold?
- If you don’t have a limit, do you have a widely known policy on the importance of cleaning out your email boxes every so often? This depends on your organization, but your users should be informed of the risks of keeping their friend’s vendor’s personal contact information in their inbox for six months.
- Sometimes it’s surprising what capabilities users are unaware of within their emails. It’s a great idea to empower your users to utilize your email service’s tools by providing them with guides for things like how to:
- Search for sensitive data to quickly find and delete it,
- Set up automatic deletion rules, and
- Set up rules that screen their inbox for marketing or important emails.
- If your organization has a data retention policy, make sure that emails are included in it. This will affect the permissions your users have; for example, you can completely remove users’ ability to delete emails within their individual inboxes.
4. Apps
Oftentimes we forget the pervasiveness of apps, whether they’re on our computer or mobile devices. Most companies are utilizing Mobile Device Management (MDM) for their devices.
However, an MDM still needs to be reviewed and have proper enforcements put in place. Consider:
- Are apps restricted only to the people that need them? For example, your marketing team may need access to Facebook and Instagram, but your engineers do not.
- If there are accounts or subscriptions associated with an app, be sure to document all of the relevant information. You don’t want to run into a situation where an employee leaves the organization, but they were the sole owner of applications important to the organizational workflow.
- All apps should be as securely configured as possible; however, sometimes apps make this difficult by hiding the settings in question. Review all apps and create procedures for secure configuration before they are allowed to the general population of your organization.
Other Things to Think about
- For organizations that utilize photography or videography, keep in mind that this type of data is just as vulnerable as a text document. Your organizational data policies apply here, perhaps even more stringently.
- Password keepers are a great method of ensuring that users adhere to proper password practice, such as using strong and unique passwords. Make sure the user is aware of how to properly use the password keeper, otherwise they may find ways to avoid using it.
- Implement a company-wide multi-factor authentication policy to prevent unauthorized access to your systems. It’s also important to judge your needs of security and your users’ acceptance to see if you should invest in hard tokens instead of the more common soft tokens like authentication apps.
By following the tips above to de-clutter your IT environment, you will ultimately help your organization become more secure.
