It’s 10:00. Do you know where your data is?

So you wanna secure your organization. You’ve thought about the appropriate balance of security and complexity for your team. You’ve taken steps to clean up your computer and lock down your network. Whew! Mission Accomplished, right?

Sadly, no! Security is a process, not a product. You don’t just spray your laptop with Hacker-B-Gone™ and call it a day.

If your data is what you are trying to protect, then you have to think about every step of the process:

• If you collect information on paper forms, what happens to them after you data-enter them? Are they shredded? (One of the classic techniques of data theft is no more sophisticated than going through your garbage.)
• Are your computers locked up at night? If someone broke in and stole the physical machines, is the data on them reasonably secure? (Of course there's only so much you can do if people have physical access to the computer.)
• What happens to your backups? Are they kept locked up? Are they kept in a separate place from the originals? Have you actually tested them? If you haven’t tried a complete restore from backups in a while, odds are good it doesn’t actually work.

Then there are all the other places you may have data. USB thumb drives get lost all  the time. Be careful with what you use them for.

Think about the cradle-to-grave lifecycle of your data and what happens to it- you might be surprised what your data has been up to when you weren’t paying attention.