Data Tip #5 – Secure Your Data
November 01, 2013 by Jennifer Cobb
Data security is one of the most critical and important aspects of your data strategy. Companies that neglect to take proper precautions stand to lose not only revenue, but customer trust. At Captricity, we serve the highly sensitive government and healthcare markets and have spent significant time ensuring that all our data practices protect information at every step along the way. While you may not need to go the extremes that we do, there are a set of best practices that any company would be wise to follow.
- Classify your data. Different types of data carry different risks. Your risk assessment should begin by identifying the types of data you have and the respective level of sensitivity. Your customer’s Personally Identifiable Information (PII) is the sensitive and important to protect. PII refers to any data that can be used to uniquely identify, contact, or locate a single person and is protected by law. Breaches can be very costly. PII includes basic information almost every business has such as phone numbers, addresses and credit card information.
- Conduct a risk assessment. Once you have classified your information types, you need to determine how your data and information flows through your organization. When is data transferred between employees or systems? What are the potential weaknesses in this data flow? For example, are your employees sending unencrypted documents from laptops and smartphones while outside of the office? Do you rely on removable drives that carry unencrypted data? These are common points of failure in data security and need to be monitored closely.
- Map and update your security tools. Most networks are protected by layers of security including firewalls, passwords and antivirus protection. You need to ensure that all of these systems are functioning and current and that your computers cannot be hacked into, which is one of the most common ways that companies experience data breaches. Make sure to update security patches on all of your systems and train employees on the most critical tools and processes they need to keep the system secure.
- Have a policy on allowed software, services and apps. Not all software and services are built to be secure. Do a thorough evaluation on any services or apps that touch sensitive information. This includes cloud-based services. Pay particular attention to the dangers of sharing passwords among employees and enabling broad access to critical files, folder and drives. Don’t send sensitive documents using open email systems. Strongly consider using encrypted email for the most sensitive information.
- Beware of Bring Your Own Devices. In today’s world of mobile devices and tablet, employees are increasingly doing work on devices that are not protected up to the standards of your data policies. Make sure that anyone working with sensitive data does so only on approved devices and in secure contexts.
- Develop rules about internal access to sensitive data. The data that you need to protect should only be touched by employees that need access to it. While you may trust everyone in your department, you would be wise to get just a little paranoid and consider the implications of data reaching the wrong hands. Data should be accessed on a “need to know” basis and protected with role-based security.