Internet/Network Security/How Much Security Do We Need?
Our data auditing business audits data that is moderately sensitive, but contains no identity theft type information. We encrypt the data on our PC's. We do not host any servers or web sites. We work from multiple locations. Each has a hardware firewall.
Do we have a reasonable level of security, or is there something we are missing?
You mentioned the data is "moderately sensitive", so I would at minimum consider some additional controls.
The base principle of data security is to secure data at rest(stored) and data in motion(transmitted).
Consider the following:
I see you have local PC hard drive encryption in place- that's a good step in case the PC is lost or stolen.
A properly configured firewall is also important, as well as installing the most current patches for both your operating system(assuming windows) and your software and maintaining an updated malware protection software.
Here are some questions to ask yourself:
-Do you care if the sensitive data is copied off of the PCs? If so-consider controls to block writing to external media such as thumb drives, CDs/DVDs, etc
-Do you care if the sensitive data is posted online? If so-consider adding a control called a web proxy, which will block your users or anything that compromises the PC for that matter...
from visiting certain sites-dropbox, facebook, etc.
-If you allow wide open web browsing, what will you do to monitor if the sensitive data is posted somewhere online. There are a few answers to this including a newer breed of "Data Leak Prevention (DLP for short) software" and more complex methods as well.
-If the sensitive data is a set of passwords, then consider using software specifically to store the passwords in some secure fashion such as Keepass password safe
-Consider applying secure configurations to your local pcs-this helps further lock down and limit
-If getting a server infrastructure is out of the question, Consider secure data services/cloud services to securely store data. Again, remember to limit who has access to what. This brings me to another point "data in motion"-if data is uploaded or shared somewhere, that data should be encrypted while it's on the move. In a web scenario, make sure you enforce the use of SSL over HTTP (Aka HTTPS).
-Lastly consider what happens if that data is lost. if the data isn't backed up anywhere, if your employee loses the PC, all the data on it may be gone for good. I recommend implementing a backup strategy and software. Don't forget to protect the backup data where it is stored, and also while the backup data is being transmitted to it's destination.
I've given you a bit to think about, so hopefully it's a good start.
Overall, some folks choose to think about security in a risk management sense via cost benefit analysis- "Is the data worth the amount of money/time/resources i invest in protecting it"
You're on the right path! Good Luck- and remember, google knows all and can help with each of the items described above!