Now you can make informed decisions about what information to protect and what form of protection is appropriate. Typically this means restricting PII access to only those employees who have a need to see it using technologies such as encryption and authentication. In other words, to see sensitive customer information, employees must identify themselves with unique credentials like user name and password, and preferably a second factor such as a token or one-time pass code. The time to train employees on the ethical and legal issues surrounding data is before issuing these credentials. After all, the consequences of mishandling sensitive information are never good and can be very costly. Every breached entity is held accountable in four “courts”: law, press, public opinion, and customer loyalty.

What security issues might my business need to address in planning to migrate our business to the cloud?

Turning to the cloud for IT services can be economically appealing but definitely involves a variety of risks that vary according to the type of cloud. If you use a public cloud approach then some or all of your company data and applications will be in a shared environment, potentially at risk from bad guys attacking that cloud or from the actions of others sharing that environment. You also face potential risks from the actions of the cloud provider itself such as failing to provide sufficient redundancy to cope with weather related outages.

Public cloud providers do make security assurances but those are unlikely to be backed by a Service Level Agreement (SLA). A set of tests run by BAE Systems last year found that several public clouds failed to notice malicious traffic, whether it was inbound or outbound. A private cloud removes some of the concerns of a public cloud but you still need to perform due diligence, asking prospective providers about their security measures, including firewalling, intrusion prevention measures, malware scanning, authentication requirements (should be multi-factor), redundancy, backup, and site security.

Employees are going to download files in their day to day activities of their jobs. How can I ensure that I’m not putting our business’s core data at risk with hidden virus and malware running rampant these days?

A well-designed IT system will provide multiple layers of defense against malicious and unwanted file downloads. You can configure systems to prevent unauthorized downloads, either by type of file or source of file (for example, blocking downloading of unauthorized executable files and blocking surfing to adult sites). You can install antivirus scanning at the file server and email server level, right down to the individual computers or endpoints, including smartphones and tablets. A good antivirus program, properly installed and well-maintained, will block the vast majority of malicious code that is out there in the wild, from viruses and worms to Trojans and time-wasting nuisance apps (sometimes referred to politely as potentially unwanted applications).