Imagine a bill. Let’s say it’s for medical or educational services, so we need to keep it private. Here are three ways we might approach it:
- We calculate the bill from our paper files, write it out, and put it in the mail. There’s a copy in the file drawer. The paper bill is prepared in the business office, put into an envelope by a clerk, carried to the mail room by another clerk, picked up by the mail carrier, and delivered to a mailbox — touched by another half dozen people on the way and then left in a mailbox where anyone could take it if they wanted to. Altogether, the bill is physically touched by about a dozen people and it is left in places which are entirely open to other people, or where anyone with physical access to the building can see it.
- We calculate the bill from files on our computer, saving a copy in the file. We email it to our customer. If we have passwords, if our email provider follows security protocols, and if we log off when we leave our computer, this bill will be seen only by the person who prepares it and the person who receives it, and touched by nobody. In practice, there’s a lot of room for human error: a third of workers in one survey admitted that they stay logged into their computers all the time, and 18% share passwords with their coworkers, while about 10% keep written notes of their passwords on their desks. This means that anyone coming into the building may have access to the bill.
- We calculate the bill from files stored in the cloud, prepare the bill within our cloud-based application, and send it via a secure portal which is not on the internet and cannot be accessed by anyone without a password. Since cloud-based applications usually time out if left open, and no information is actually in our desktop computer, no one sees the bill except those who have authorization to see it, and no one touches it. While a determined criminal might be able to get to the bill and an authorized person could print it out, this is generally the safest option.
Many people worry about hackers, but most security issues are casual carelessness, not crime. It’s the files left on a desk while their owner goes to lunch or the sensitive information left on a shared computer that usually spread information, not the espionage mastermind.
How can you increase security at your organization?
- Make sure that your IT providers follow good security protocols. Generally you can ask them to describe their security efforts and you’ll know whether they have enough safeguards in place.
- Watch out for careless security breaches. Get your staff in the habit of logging off their computers when they leave the room, discourage unnecessary printing of sensitive information, and ask everyone to keep passwords secure.
- Use cloud applications when possible, with remote, secure backup. If you must back up information onto an on-premise machine or onto paper, work out strong security protocols for the machines and/or storage areas you’ll be using.