Data security is critical for all businesses because information such as client payments, personnel files, bank account details and more are oftentimes impossible to replace if lost – or worse, in the hands of criminals. Data lost due to disasters like fire or flood can present real challenges, but losing data to hackers or malware can present greater consequences. How you manage and protect your data should be a central function to the security of your business and privacy of your customers, employees and partners.
Does your business have a cyber-security action plan in place? Here is an excerpt from the Federal Communications Commission Cyber-Security Planning Guide to help you get started.
1. Conduct an inventory of existing data.
Businesses are managing all types of data on a day-to-day basis. From accounting records, financial information, contact and address information, proprietary information and more, taking an inventory of the type of data your business manages and the level of sensitivity can help you understand how it should be handled.
In most situations, data does not live solely in one location or on one machine.
When data needs to be moved from employee to employee or department to department, it is exposed to an increasing amount of risk. Taking a comprehensive audit of the data that is being managed and moved throughout your organization will help you have a greater understanding of who should have access and the security processes that should be put into place.
2. Develop a privacy policy.
Developing trust in your business practices, products and secure handling of your clients’ information will ultimately impact your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations. Your policy should start with a simple and clear statement describing the information you collect about your customers (physical addresses, email addresses, browsing history, etc.), and what you do with it.
There are also a growing number of regulations protecting customer and employee privacy and often costly penalties for privacy breaches. You will be held accountable for what you claim and offer in your policy. That’s why it’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules and expectations with all employees and partners who may come into contact with that information.
3. Create layers of security.
Data must be protected, whether you host on your own website and therefore manage your own servers or your website and databases are hosted by a third party such as a web hosting company. If you collect data through a website hosted by a third party, be sure that third party protects that data fully.
Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism – such as a password – to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.
Data classification is one of the most important steps in data security. Not all data is created equal, and few businesses have the time or resources to provide maximum protection to all their data. That’s why it’s important to classify your data based on how sensitive or valuable it is – so that you know what your most sensitive data is, where it is and how well it’s protected.
Common data classifications include:
HIGHLY CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within your company. Its unauthorized disclosure could seriously and adversely impact your company, business partners, vendors and/or customers in the short and long term.
SENSITIVE: This classification applies to sensitive business information that is intended for use within your company, and information that you would consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and email marketing lists.
INTERNAL USE ONLY: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company.
4. Plan for data loss or theft.
Every business has to plan for the unexpected, and that includes the loss or theft of data from your business. Not only can the loss or theft of data hurt your business, brand and customer confidence, it can also expose you to the often-costly state and federal regulations that cover data protection and privacy. Data loss can also expose businesses to significant litigation risk. That’s why it’s critical to understand exactly what data or security breach regulations affect your business and how prepared you are to respond to them.
At the very least, all employees and contractors should understand that they must immediately report any loss or theft of information to the appropriate company officer. And because data privacy and breach laws can be very broad and strict, no loss should be ignored. So even if you have sensitive data that just can’t be accounted for, such as an employee who doesn’t remember where he left a backup tape, it may still constitute a data breach and you should act accordingly.
Another step in preparing for data loss or theft, is speaking with a knowledgeable insurance representative about cyber liability coverage. The level of coverage needed for your business depends on your level of risk. Every type of business from small organizations, technology companies, public entities and businesses with multiple locations and industries should consider the appropriate coverages and tools that can help protect you in the event of a cyber attack.
5. Train employees to recognize scams, fraud and social engineering.
New telecommunication technologies may offer countless opportunities for small businesses, but they also offer cyber criminals many new ways to victimize your business, scam your customers and hurt your reputation. Businesses of all sizes should be aware of the most common scams perpetrated online.
To protect your business against online scams, be cautious when visiting web links or opening attachments from unknown senders, make sure to keep all software updated, and monitor credit cards for unauthorized activity.
Social engineering, also known as “pretexting,” is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.
Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses.
Assessing your risks, putting the appropriate policies and steps into place, in addition to training your employees will help you create a culture of cyber-security within your workplace. For more tips and tools, view the full National Cyber Security Alliance guide here.
