Keeping data secure
Keeping data secure is crucial for all businesses, after all, would you trust a company with your personal information if you knew it wasn’t being kept securely?
Customer and client information, payment details, personal files, bank details are all data which is impossible to replace if lost. More importantly, they can all be extremely dangerous if placed in the wrong hands. Data loss due to natural disasters such as flooding or fire damage is devasting, but losing it to hackers or from a malware infection can cause far greater damage.
The way your business handles and protects data is central to the security of both you and your clients, employees, and partners.
What kind of data do you have?
If you receive and hold customer data, the likelihood that you are holding sensitive or personal information is pretty high. Your business data may include customer data such as account records, financial information or even their buying habits. You could also potentially be holding proprietary information such as financial records, marketing plans or product designs.
Finally, complete a data inventory to identify and classify all of your potential areas of vulnerability. Data classifications tend to come in three groups; highly confidential, sensitive and internal use only.
This classification applies to the most sensitive business information that is intended strictly for use within your company. Any unauthorised disclosure of this data could adversely impact your company in the short and long term. It is essential to keep this sort of data secure as it could include credit card data, passwords or even employee payroll files.
Sensitive data applies to sensitive business information that is intended for use within the company. This could also include information that you would consider to be private. Examples can include, employees performance evaluations, internal audit reports and partnership agreements.
Internal use only
This classification applies to sensitive information which is generally accessible to a wider audience and is intended only for use within the company. Whilst unauthorised disclosure to outsiders should be against policy and could be harmful; the unlawful disclosure of the information is not expected to negatively affect your company in the long term.
Classifying your data allows your company to set parameters for how the data is accessed, transported, shared and ultimately kept secure.
Where is your data stored?
Data is most at risk when it is on the move. What this means is that, if all your data is residing on a single computer or server that is not connected to the internet and never left that computer, it would be very easy to protect. However, in order to be useful, data must be accessed and used by employees. Every single time data moves or changes hands, it can be exposed to different dangers.
In order to dictate safe data transfer and storage, your company must create a company policy to allow for this. The policy must include information on how to back up, transport and safely store physical and virtual data.
It is important to keep in mind that physical media such as USB drivers or a data backup is vulnerable no matter where it is located. Make sure you keep any physical data in a secure office or off-site. Any physical data storage systems should also be encrypted.
Your website can be a great place to collect information. This includes transactions, payments and even browsing history. This data must be protected whether you host your own website and servers or whether they are hosted by a third party. If a third party hosts your website, be sure to discuss the methods they have in place to protect your data from hackers and outsiders as well as employees of the hosting company.
Storing virtual data nowadays is very common practice. However, there are certain risks you need to consider. For example; if your company contracts with a third party to house data virtually, be sure to keep an updated contract that outlines who accesses your data, how it is encrypted and how it is backed up. Additionally, be sure you are aware of the location of the company you are trusting the data with.
Who accesses your data?
Once you have identified, classified and located your data, you must control access to it. The more sensitive the data, the more restrictive the access should be. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so.
Not every employee needs access to all of your information. For example, your marketing staff shouldn’t be allowed or need to to view employee payroll data.
The first step in controlling access to your data is assigning rights to that data. Doing so simply means creating a list of the specific employees, partners or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked.
How do you keep your data secure?
Once you have established the type of data your company holds, where it is located and who can access it, you should then be planning how to keep the data secure.
Protecting data, like any other security challenge is about creating layers of protection. Data Economy have written an in-depth blog on how to do this, but we’ll cover the subject in simpler terms first.
The idea of layer security is simple. You should not and cannot rely on one single security mechanism to protect your data. Simply using a password to protect sensitive data is not enough. If hackers crack your password, the security mechanism fails and you have nothing left to protect you.
There are many affordable backup options for your business. This could be simply backing up data to an external drive in the office or back up your data online so everything is stored at a secure data center.
Are you planning for the future?
Expect the unexpected; a phrase coined for every individual throughout both their careers and personal lives. Like their employees, businesses must also learn to expect the unexpected and plan ahead.
Not only can the loss or theft of data hurt your business brand and client confidence; it can also expose you to the often costly violation of the Data Protection Act.
It is for this reason that it is critical to understand exactly which data or security breach regulations affect your business. How prepared are you to respond to them? At an absolute minimum, all employees should understand that they must immediately report any loss or theft of information.
Identifying your exposure will help you figure out how best to protect your data. However, implementing security measures to make sure your data is secure may not be sufficient.
CyberBee provides cyber insurance as the final line of defence in your bid for keeping your data secure. For more information or to inquire about how we can help contact us now or get in touch with your CyberBee representative.