We've all heard the horror stories: a laptop, hard drive or other piece of IT equipment is stolen from a government agency, university or large company, placing the personally identifiable information (PII) of thousands at risk. These unfortunate incidents are usually not the work of hackers or determined thieves, but rather are crimes of opportunity that result from lax physical accountability for the assets that store an organization's most sensitive data. These tales of woe are all too common in today's technology-saturated environment; a glance through the
Chronology of Data Breaches for the past three years shows that virtually no organization is safe from information security lapses.
To be certain, protecting PII and other sensitive data is everyone's responsibility, but property managers are uniquely situated in many organizations to have a significant impact on information security. Property managers, the guardians of physical asset accountability, often act as gatekeeper between the organization's IT department- responsible for making information available- and property custodians or end users of the devices that store sensitive data. While the IT department is responsible for ensuring the use of data-level security efforts (encryption, VPNs, etc.) property management is responsible for ensuring the physical security of these assets.
Flash drives, external hard drives and laptops have become ubiquitous in today's office environment due to their decreasing cost and increased storage capacity. Many of these items fall far below traditional property accountability thresholds, and many property managers are reluctant to place a barcode tag on something as tiny as a flash drive. Yes, accounting for these devices may be challenging, but the risks of a data security breach make these measures well worth the effort. The theft of PII can be as dangerous to the public as the theft of weapons or hazardous material. Consider what could have happened to the identities, security and livelihoods of the 26.5 million Americans affected by the
May 2006 data security breach at the U.S. Department of Veterans' Affairs.
So what can property managers do? Here are some steps that you can take to increase data security in your organization and protect your colleagues and customers:
- Maintain records for all organization-issued property capable of storing computer-readable data in your property control system- accurate records can help recover stolen assets in the event of a theft
- Flag these sensitive data storage devices as sensitive in the property system to quickly distinguish them from other kinds of property and to provide a complete picture of your organization's exposure to risk from sensitive assets
- Issue and check property passes for all data and storage devices taken out of a secure organization location
- Conduct physical inventories of sensitive assets more frequently than inventories of non-sensitive assets to ensure the prompt discovery of missing items.
- Sensitive assets that are not found during inventory should be subject to a formal internal inquiry process before being written off.
- File a police report in the jurisdiction of the theft as soon as reasonably possible if an asset is reported lost or stolen by an employee.
- Overwrite, degauss or destroy hard drives or flash drives prior to donation, sale, or abandonment.
In today's world, the nature of sensitive assets has changed, but the mission is still the same: provide accountability and control for the proper use and care of property. Property professionals now have the opportunity to provide a crucial line of defense against a devastating leak of sensitive data. We must do more than simply keep our organizations out of the headlines. Our obligation is to protect the well being of thousands of people who depend on us to keep their information safe. Protecting property is necessary, but protecting people is the most important responsibility of all.
