Regardless of size and industry, almost every organization deals with sensitive data, from government agencies storing social security details to SMBs collecting customer contact information. Businesses often have a regulatory obligation to keep sensitive data protected. However, keeping significant amounts of information secure is no easy task.
This is where the need for robust data security comes into play.
Data security involves several cybersecurity techniques and technologies to protect sensitive data from malicious or accidental destruction, disclosure, or modification. Data security is more crucial than ever as cybersecurity risks grow in sophistication and severity.
Whether you administer your enterprise IT security or partner with a managed IT service provider, here are a few basic data security principles.
- Inventory data regularly
- Only store business-critical data
- Safeguard stored information
- Dispose and destroy obsolete data properly
- Create a security breach response plan
Let’s review each of these five data security best practices to ensure businesses of all sizes can collect, store, and dispose of data securely. Companies can better meet legal obligations related to protecting sensitive personal information about customers or employees with these best practices in place.
1. Inventory Data Regurarly
You can’t protect what you don’t know you have. Find out what data your system contains and who has access to it. Start with all hardware — file cabinets, computers, laptops, flash drives, disks, multifunction printers (MFPs), smartphones, tablets, etc.
Coordinate with all departments — sales, IT, human resources, accounting, service, outside contractors, etc. — to better understand how much sensitive data and personal information your enterprise handles.
Improved visibility helps organizations track information sources and implement access control policies to limit data loss and unrestricted access. Compliance with federal laws such as the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act is less complicated when businesses can track and identify their sensitive data.
2. Only Keep Business-Critical Data
One of the most critical data security best practices is the fundamental principle of scaling down data collection and only retaining personal information that is integral to a product or service. Organizations shouldn't keep data unless it's for a legitimate business need. If a company chooses to store business-critical data, the information should only be kept as long as necessary to limit the risk of exposure.
Sensitive personally identifiable information (PII) such as Social Security numbers should be used only for essential and lawful purposes, such as tax reporting. Companies increase their attack surface when stored PII is used unnecessarily, such as using Social Security numbers as employee or customer identification numbers.
Suppose information needs to be kept long-term for business or legal reasons. In that case, companies should develop a written retention policy to identify what must be kept, how to secure it, how long, and how to dispose of it securely.
Remember, minimizing unnecessary long-term data retention is crucial in lowering the risk of costly data breaches since malicious actors can’t steal sensitive data if it's not in your possession.
3. Safeguard Stored Information
Companies need a holistic cybersecurity strategy for protecting their business-critical PII that encompasses three key elements: physical security, electronic security, and employee training. Let's dive deeper into each of these core facets.
Physical Security
Many businesses tend to overlook the physical security risks regarding data security. If not kept physically secured, sensitive documents and files are at risk for theft or accidental exposure. Malicious breaches caused by a physical security compromise are costly. According to the Cost of a Data Breach Report, 10% of breaches were caused by a physical security breach, with an average cost of $4.36 million.
Here are a few tips for improving your physical security posture.
- Store data backups, paper documents, and thumb drives containing personally identifiable information in a locked space. Make sure to limit access to this area to only employees with legitimate business needs.
- At the end of each workday, employees must log off their computers and lock all file cabinets and office doors.
- Install access control systems throughout facilities and create a written policy outlining the procedure if an employee sees an unfamiliar person on-premise.
Electronic Security
Every business has a unique IT infrastructure comprising computers, network printers, software, routers, wireless devices, and more. Malicious actors use these endpoints to exploit vulnerabilities and as an entry point to gain unauthorized access to high-value assets on a company’s network. To reduce their attack surface, companies need to be proactive and understand the vulnerabilities of their IT systems.
Here are a few tips for improving your electronic security.
- Implement a business continuity and disaster recovery (BCDR) plan for future data breaches.
- Consider data security features when buying or leasing a printer, such as hard drive encryption, automatic data cleanup, temporary image removal, pull printing, etc.
- Install a next-generation firewall (NGFW) with additional network security features such as intrusion prevention and malware protection.
- Only allow work-from-home employees to access sensitive information rather than storing the information on their laptops.
- Prohibit employees from downloading unauthorized software.
- Encrypt stored sensitive information and data sent over public networks.
- Consistently run anti-malware software on servers and individual computers.
- Require employees to use strong passwords and multi-factor authentication.
- Assess the vulnerability of each endpoint. Appropriate vulnerability assessments can range from a knowledgeable employee running off-the-shelf security software or an independent IT service provider conducting a full-scale vulnerability audit.
Employee Training
One of the biggest threats to data security is your employees. Without cybersecurity training, employees may open emails from unknown senders, click on cryptic links out of curiosity, and even print out sensitive PII and forget that it’s sitting unattended at the printer. Unrestrained web browsing, poor password habits, and vulnerable document processes make employees an attractive target for social engineering and phishing scams.
However, most businesses leave their employees underprepared and ill-equipped to combat the increasingly dangerous digital landscape, putting sensitive company data, business reputations, and profit margins at risk. Only 60% of businesses provide formal cybersecurity awareness training to their employees. If organizations want to maintain business continuity, avoid costly data breaches, and protect their reputation, they must invest in continuous and comprehensive employee cybersecurity training.
Here are a few tips for improving your employee’s cyber resilience.
- Articulate company policies regarding keeping data secure and confidential. If an employee violates the cybersecurity policy, impose disciplinary measures.
- When a potential security breach occurs, employees must immediately notify the appropriate personnel.
- Establish a “culture of cybersecurity” by integrating a regular employee training schedule.
- Provide interactive cybersecurity awareness training where employees can complete modules at their own pace. The curriculum should be tailored to include the topics most relevant to your business ranging from email security, online credit card safety, and more.
- Conduct simulated phishing attacks and monitor employee responses to identify gaps in knowledge and discover which users might be more vulnerable to a phishing attack.
- Hang educational cybersecurity posters in high-traffic areas as a visual reminder to keep cybersecurity awareness top-of-mind every day.
4. Dispose and Destruct Obsolete Data Properly
A company’s trash is a hacker's gold mine for sensitive information. Failure to appropriately discard and destroy obsolete data, such as leaving documents with protected health information (PHI) in a publicly-assessable waste receptacle, promotes fraud and increases the risk of consumer identity theft. Companies can prevent the reading and reconstruction of unessential sensitive information by implementing proactive measures and taking necessary precautions.
Here are a few tips for improving your data disposal capabilities.
- Create and enforce a formal documented procedure for data destruction.
- Paper trash should be shredded, burned, or pulverized. Shredders should be located in the office near copiers and printers, enabling simplified and convenient use.
- Old computers and storage devices should be securely erased using wipe utility programs.
- Devices with hard drives or other storage capabilities should be disposed of, wiped, or returned to you for safekeeping before the device is disposed of, returned to a leasing company, reallocated for different use(s), or sold. Employees who telecommute should follow the same procedures.
5. Create a Security Breach Response Plan
Even with a multi-pronged cybersecurity strategy, data breaches can still occur. The reality is it’s not a question of if but rather when. As cybersecurity risks grow in frequency and severity, businesses increasingly need a security breach response plan to mitigate disruptions and minimize data loss. When a company is a victim of a data breach, the response plan will provide actionable steps and procedures for employees to follow, helping businesses respond to cyberattacks timely and appropriately.
Here are a few tips for creating a security breach response plan.
- Designate a senior staff member to coordinate and implement the security breach response plan.
- Ensure every employee knows to disconnect compromised computers from the network immediately after a breach is detected.
- Establish clear communication guidelines to ensure seamless communication during and after a breach.
- To encourage continuous improvement, document the details of the incident and update security protocols to avoid reoccurring incidents.
- Create a list of whom to notify both inside and outside the enterprise when a breach occurs. Depending on the type of establishment, a company may need to notify law enforcement, consumers, credit bureaus, attorneys, and other businesses affected by the breach.
Protect Your Sensitive Data with Holistic Managed IT Services
Keeping your organization's data secure can be difficult, but following these five fundamental principles will help. Businesses interested in bolstering their data security should request an IT assessment from an experienced managed service provider. They provide deep technical insight and 24/7 support to help you select the cybersecurity technologies and services required to safeguard data and maintain a safe, reliable, and compliant business IT infrastructure.
Editor’s Note: This post was originally published on July 21, 2015, and has been updated for accuracy and current best practices.