Recently we wrote about the importance of implementing basic security policies from a virtual data room perspective. We highlighted how to assess the risk and take a systematic approach to the things a robust data security plan needs to cover. All your efforts are worthless, however, if you don’t follow through by tracking compliance with the policy, keeping it updated as new risks present themselves and educating your employees on how best to use the policies they have.
Mistake #1: Making Your Policy Difficult to Read
A solid policy for securing your virtual data room needs to be a working document. Not only is it subject to change as necessary, but staff at every level need to be able to understand and implement the practices outlined in it. This means it has to be readable. How often have you seen company policies so long and complicated that the average employee can barely understand them? Make your security policy:
- Short enough for people to read and understand without difficulty
- Easy to reference the information they need with numbered sections and a detailed index
- Long enough to cover all critical aspects of security so that nothing can be overlooked
It’s vital to your security that the policy can be used by everyone with access to the virtual data room, otherwise you leave yourself open to significant risks.
Mistake #2: Not Updating Your Policy
Things change. It’s a common mistake among small businesses to think once the policy is done, it can be set aside and forgotten, but it doesn’t work that way. In the world of cyber crime the risks change rapidly and daily, and keeping your security policies updated is necessary to ensure that all new challenges are assessed and measures for overcoming them are implemented without delay.
Maintain a current version of your policy where it’s easily accessible, and each time you update it make sure your employees are notified of the change. Provide them with the details of changes so they don’t have to go hunting through the policy to identify them, and get acknowledgement of the changes from each person who has access to your virtual data room.
Mistake #3: Not Tracking Adherence
It’s one thing to create a policy and tell people to use it; it’s entirely another to track compliance against it and ensure that:
- It’s working properly and you’ve covered all the bases, and
- It’s being used wherever necessary and not bypassed by lazy workers.
It’s easy for a corporate-sized virtual data room vendor to track compliance, but not so much if you’re a small business trying to manage your own. Put in place steps such as a requirement for employees to sign to acknowledge reading the latest changes, that they have to log out of the data room properly before being able to close the window, and that documents checked out or downloaded are restored showing the history of activity. Penalize those who don’t follow the rules, to ensure the security of your data.
Mistake #4: Overlooking Non-Tech Risks
It’s not just about the technical aspects, such as hacking, access control and network security. Humans are often the weakest link in the chain, and your staff also needs to be educated about issues such as social engineering risks. Ensure that your policy covers aspects such as password protection, vigilance from unauthorized persons including janitorial workers, ‘shoulder surfing’ and dumpster diving to retrieve discarded hard copies of sensitive information.
Keep your virtual data room safe from a range of risks by implementing a policy that’s readable, comprehensive in approach, regularly updated and tracked for compliance.