Data today takes on many forms: It includes your internal business data and customer data that you might store. It could be credit card information, social security numbers, personally identifiable information (PII), business or order transactions, or medical records and other health information. In many of these cases there are strict regulatory requirements governing how the data must be used and secured, like PCI and HIPAA. Regardless if you fall under any regulatory requirements or not, the right thing to do for your business and your clients is making data protection a top priority.
In addition to simply having a plan to secure the data that’s been entrusted to you, you should communicate it with your customers or stakeholders so they understand all the precautions you’re taking. Given the amount of data that we’ve all given to third parties, customers expect that their data is secure and often want to know how. The more information you can provide when explaining your security measures to them, the better. Consider crafting a brief overview of your data protection policies that show your customers how seriously you take the trust they’ve placed in you.
Complete data protection has three critical components that we’ve outlined below, and these can be your guide in crafting a document to be transparent with your customers and users about how you secure their data.
Data at Rest
The first step to keeping your data secure while at rest is encryption at every level: The data files themselves, the editing/storage applications used to manipulate them, and the servers and workstations where the data is stored. A weakness at any of these levels can easily lead to the theft or corruption of your data.
Next, any system, application, or any other component used to interact with your data needs to be kept free of viruses and malware. Proper antivirus/antimalware software must be installed and kept updated so that it can tackle emerging threats as soon as possible and keep your data safe from being stolen or corrupted by cybercriminals.
Finally, in the event that any of these precautions fails, or if your systems are physically compromised in some way (from a failed hard drive to a flood or fire that brings down your network), you need backups. All of the measures described above will do you no good if a critical hard drive fails and you have no way to recover all the lost files! Backups that are regularly synced with the source files will allow you to recover operations rapidly after a disaster, as well as ensure a smooth transition if you migrate to a new infrastructure or system. Keep in mind that to actually be secure, your backups need to be encrypted too!
When transporting data, encryption is just as, if not more, important than ever. When data transmissions leave the confines of your own network, they are inevitably more vulnerable and must be protected. Robust encryption is vital to protect your data from outside eyes should it be intercepted during transport.
It’s also important to make sure that only secure and recordable methods are used to transport data. For example, employees who access the data should know if they are permitted to use personal flash drives or other external storage to transport files. It’s also important that their desktop and mobile devices that store data are protected and can’t be hacked when they are outside of your network, as well as to ensure that no data loss will occur if they are lost or stolen.
Finally, ensuring only authorized personnel have access to your data is critical to data security. This applies to keeping cybercriminals out, as well as preventing your own employees from accessing data that they don’t need. A well-meaning employee could innocently access customer data that they don’t truly need and accidentally expose or compromise it, and this type of internal risk is unacceptable today.
There is a long list of policies and procedures that you need to make sure are in place in order to properly mitigate this risk to your data:
- Off-boarding: Ensure that employee terminations are promptly reported to IT so their access can be revoked.
- Need-to-know: Users should only have permission to view data that they actually need to use in performing their job duties; unneeded access should be revoked.
- Password policies: Password protecting critical files and systems is literally the bare minimum security measure, so your passwords better be good. Make sure your password policy includes adequate length and complexity requirements, and passwords used to access extremely sensitive data should be updated on a scheduled basis.
- Multi-factor authentication: In addition to strong passwords, consider using multi-factor authentication to add an extra layer of security protecting your most critical data.
- Remote access: Remote access policies for employees should be clear and enforceable; make sure they understand what company resources they can and can’t access with their personal devices, and what data they are permitted to store or transfer with external applications like Dropbox.
- Logging: All access to sensitive data should be logged, so that if a breach occurs, it is very simple to retrace steps and discover where, when and by whom the data was accessed.
Take the opportunity today to ask your IT team about data protection and make sure your business is doing the right things to protect critical data.