By: Christine Cunneen
With data and security breaches more frequent than ever over recent years, 2018 is the year to focus on security protection, with more effective plans to protect ourselves, our companies, and our customers.
From a small nonprofit to a large corporation–every organization is exposed, in some way, shape, or form, to sensitive personal information that identifies either employees or customers or both. This “personal identifying information” can include names, Social Security numbers, addresses, credit card information, license information, and account data. When this data, even something as simple as a name, falls into the wrong hands, trouble will inevitably ensue. Crime, including identity theft, fraud, and embezzlement, is one repercussion. Another is the potential damage to your business. Can it withstand theft of funds or property and/or losing employee and customer trust and loyalty? No business can afford those risks, especially when they can be minimized with some simple steps.
Here are ten steps to help protect your business:
- Create a Data Security Plan. Your plan may include many of the following steps, as well as those more specific to your own business and technology infrastructure. Assess the vulnerability of any foreseeable attacks, breaches, and issues. Then, determine the steps necessary to protect yourself in each situation. Remember these should not be limited to electronic issues and measures only. Rather, they should encompass basic physical protections, even as simple as locking doors and filing cabinets.
- Take action now. With a plan in place, it is time to take action. Too many times business owners and managers are overwhelmed with the day-to-day activities of the business that “have to” get done. They tend to put implementation of policies and procedures on the backburner. However, every day you wait is another chance for a security breach. Planning and reacting on paper without having to face the stress of an actual breach makes sense, when emotions are not running wild. From restricting employee access to running anti-spyware programs and securing electronic information in transit over the Internet, don’t leave any stone unturned – even if it’s a basic or obvious protection step.
- Conduct background checks. A well-trained and screened workforce is the best defense against identity theft and data breaches. Check references and do background checks before hiring employees and contractors who will have access to sensitive data. Investigate the background screening company of your choice to ensure that they are accredited by the National Association of Professional Background Screeners. Such accredited firms will utilize data security practices that meet the highest possible standards.
- Shred and pare down your records. Dispose of credit reports, receipts, CDs and any paperwork with sensitive data printed on it, as many data compromises happen the old-fashioned way–through lost or stolen paper documents. This is not to say that electronic security is preferred, but an encrypted, e-security system managed by an independent professional is recommended.
- Follow state law.Because there are no federal standards for protecting personal identifying information, you should comply with your state law. Many states require a risk-based information security program be in place and outline the proper notification steps. NAPBS has published a guide for data breach notification laws in your state. The laws are always changing, so use this as a guide only and always check the latest laws directly with your state and/or your privacy attorney.
- Train your staff. Your information security plan is only as strong as the employees who will implement it. Most breaches actually happen by accident because employees do not have the information they need. Initial and periodic training will help focus on everyday behaviors to help keep personal information secure and confidential. Be sure to have a procedure in place for what to do when workers leave your employment, such as terminating passwords, collecting keys, and ID cards.
- Keep business and personal accounts separate. Businesses are not the only ones getting hacked. Individuals are subject to identity theft on a daily basis, especially with the increasing amount of “online living.” Keep all emails, passwords, and accounts separate help to ensure that if you are victim to a breach in one area of your life, the other areas stay protected.
- Refer to the Federal Trade Commission (FTC). The FTC has published a Security Guide for Business and it is a great place to start or revise your plan. All businesses should cross-reference this guide from time to time to make sure they are staying up-to-date and to measure up their own practices against those recommended by the FTC.
- Enforce restrictive data permissions. So much comes down to employee security and knowledge. Only those employees with a need-to-know should have access to passwords and other secure information. The more people who have access, the more potential for problems. Enforce your policies and change passwords and other security information frequently.
- Bring in a specialist. Not every business has the means to hire an outside expert, but, if you can, it could be one of the smartest decisions you could make. Just like you are an expert in your own business, these professionals are experts in theirs. They can provide an invaluable education to you and your employees about best practices and security tips. They can also review your current policies and advise any applicable changes.
Creating a culture of security is vital to the longevity of your business. Taking steps now to safeguard sensitive information before any breaches occur is not only smart, it demonstrates a deep, value-based sense of professionalism and integrity in your business operations, which goes a long way with employee and customer satisfaction and loyalty.