Regardless of size and industry, almost every organization deals with sensitive data, from government agencies storing social security details to SMBs collecting customer contact information. Businesses often have a regulatory obligation to keep sensitive data protected. However, keeping significant amounts of information secure is no easy task.
This is where the need for robust data security comes into play.
Data security involves several cybersecurity techniques and technologies to protect sensitive data from malicious or accidental destruction, disclosure, or modification. Data security is more crucial than ever as cybersecurity risks grow in sophistication and severity.
Whether you administer your enterprise IT security or partner with a managed IT service provider, here are a few basic data security principles.
Let’s review each of these five data security best practices to ensure businesses of all sizes can collect, store, and dispose of data securely. Companies can better meet legal obligations related to protecting sensitive personal information about customers or employees with these best practices in place.
You can’t protect what you don’t know you have. Find out what data your system contains and who has access to it. Start with all hardware — file cabinets, computers, laptops, flash drives, disks, multifunction printers (MFPs), smartphones, tablets, etc.
Coordinate with all departments — sales, IT, human resources, accounting, service, outside contractors, etc. — to better understand how much sensitive data and personal information your enterprise handles.
Improved visibility helps organizations track information sources and implement access control policies to limit data loss and unrestricted access. Compliance with federal laws such as the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act is less complicated when businesses can track and identify their sensitive data.
One of the most critical data security best practices is the fundamental principle of scaling down data collection and only retaining personal information that is integral to a product or service. Organizations shouldn't keep data unless it's for a legitimate business need. If a company chooses to store business-critical data, the information should only be kept as long as necessary to limit the risk of exposure.
Sensitive personally identifiable information (PII) such as Social Security numbers should be used only for essential and lawful purposes, such as tax reporting. Companies increase their attack surface when stored PII is used unnecessarily, such as using Social Security numbers as employee or customer identification numbers.
Suppose information needs to be kept long-term for business or legal reasons. In that case, companies should develop a written retention policy to identify what must be kept, how to secure it, how long, and how to dispose of it securely.
Remember, minimizing unnecessary long-term data retention is crucial in lowering the risk of costly data breaches since malicious actors can’t steal sensitive data if it's not in your possession.
Companies need a holistic cybersecurity strategy for protecting their business-critical PII that encompasses three key elements: physical security, electronic security, and employee training. Let's dive deeper into each of these core facets.
Many businesses tend to overlook the physical security risks regarding data security. If not kept physically secured, sensitive documents and files are at risk for theft or accidental exposure. Malicious breaches caused by a physical security compromise are costly. According to the Cost of a Data Breach Report, 10% of breaches were caused by a physical security breach, with an average cost of $4.36 million.
Here are a few tips for improving your physical security posture.
Every business has a unique IT infrastructure comprising computers, network printers, software, routers, wireless devices, and more. Malicious actors use these endpoints to exploit vulnerabilities and as an entry point to gain unauthorized access to high-value assets on a company’s network. To reduce their attack surface, companies need to be proactive and understand the vulnerabilities of their IT systems.
Here are a few tips for improving your electronic security.
One of the biggest threats to data security is your employees. Without cybersecurity training, employees may open emails from unknown senders, click on cryptic links out of curiosity, and even print out sensitive PII and forget that it’s sitting unattended at the printer. Unrestrained web browsing, poor password habits, and vulnerable document processes make employees an attractive target for social engineering and phishing scams.
However, most businesses leave their employees underprepared and ill-equipped to combat the increasingly dangerous digital landscape, putting sensitive company data, business reputations, and profit margins at risk. Only 60% of businesses provide formal cybersecurity awareness training to their employees. If organizations want to maintain business continuity, avoid costly data breaches, and protect their reputation, they must invest in continuous and comprehensive employee cybersecurity training.
Here are a few tips for improving your employee’s cyber resilience.
A company’s trash is a hacker's gold mine for sensitive information. Failure to appropriately discard and destroy obsolete data, such as leaving documents with protected health information (PHI) in a publicly-assessable waste receptacle, promotes fraud and increases the risk of consumer identity theft. Companies can prevent the reading and reconstruction of unessential sensitive information by implementing proactive measures and taking necessary precautions.
Here are a few tips for improving your data disposal capabilities.
Even with a multi-pronged cybersecurity strategy, data breaches can still occur. The reality is it’s not a question of if but rather when. As cybersecurity risks grow in frequency and severity, businesses increasingly need a security breach response plan to mitigate disruptions and minimize data loss. When a company is a victim of a data breach, the response plan will provide actionable steps and procedures for employees to follow, helping businesses respond to cyberattacks timely and appropriately.
Here are a few tips for creating a security breach response plan.
Keeping your organization's data secure can be difficult, but following these five fundamental principles will help. Businesses interested in bolstering their data security should request an IT assessment from an experienced managed service provider. They provide deep technical insight and 24/7 support to help you select the cybersecurity technologies and services required to safeguard data and maintain a safe, reliable, and compliant business IT infrastructure.
Editor’s Note: This post was originally published on July 21, 2015, and has been updated for accuracy and current best practices.