Written by Allan Tarleton of The Van Winkle Law Firm (July 2017)
Eight steps to protect your company, its employees, and clients.
Do you have a plan in place if your business experiences a data breach? Unfortunately, for most companies, it is not a question of if you will get hacked, but when. Technology is changing every day, which is why it is important to be vigilant about your organization’s data security.
Despite the best efforts of businesses and nonprofits, data breaches are inevitable. The key is to have a clear, written, data security policy to minimize the chances of getting hacked and to communicate what your business will do if data is compromised.
Potential liability and damage to your company’s business reputation arising from data management and security risks are governed by a thicket of regulations and industry practices businesses must understand and negotiate to remain competitive. We recommend the following steps to ensure your business is doing all it can to protect the sensitive information of customers and employees.
Step 1: Determine your data inventory.
The first thing you will need to do is take an inventory of the data you have on hand, including digital and hard copy files. This includes employee information and customer or client data.
Make note of any highly sensitive information in these files, such as medical records, financial information, and/or social security numbers.
Step 2: Assess how you are storing this information.
Now that you have a good idea of what type of information you are storing, look at how you are storing it. Is it filed away in folders on a bookshelf? Perhaps saved in a web-based network your employees can access through their smartphones or home computers? Or maybe it is stored in a software system that is only accessible in the office on a desktop computer.
Step 3: Consider how you are protecting highly sensitive information.
Ask yourself the following questions:
*How are you storing and destroying sensitive client or employee information?
*Do you have a security policy in place, and are you following it?
*Are you doing all you can do to protect your customers’, clients’, and employees’ sensitive information?
Step 4: Write or update your data security policy.
We always recommend having a clear, up-to-date, data security policy. If you do not have one, now is a good time to meet with your attorney to make sure your policy addresses all of the current privacy regulations and standards.
Step 5: Train your employees on the policy.
Not only should you be well-versed with your data security policy, your employees should receive training and regular updates on the company’s policy. Consider putting a system in place that allows you to communicate the policy to your team on a regular and recurring basis and to discuss ways to improve your security practices.
Step 6: Evaluate your company’s physical security.
When we think of data breaches, we often think of online hackers. But it is not just your digital information that’s at risk. You should also consider how you are protecting your paper files, laptops, employee or company smartphones, thumb drives or removable storage devices, and even computer screens that can be seen through a window or by the public if the desk is in an open space.
Think about who has access to your office. Do they need a key or badge for entry? Do you have a system for obtaining keys or changing passwords if an employee leaves the company?
Consider if you need to have a security officer or team in place at your business. You do.
Step 7: Assess what information is available to employees remotely.
As the workplace becomes more fluid, you may find yourself with employees working remotely or through mobile devices while they are traveling. Mobile information is available to employees—and anyone who has access to their digital devices—at all times.
If a team member’s laptop or smartphone is stolen, what steps are in place to make sure sensitive or private information is secure?
In most cases it is not practical to prevent employees from working remotely or using digital devices. But it is important to look at all of the vulnerabilities that exist so you can take steps to eliminate or minimize your risk of a data breach.
One prevalent and often overlooked vulnerability is commonly exploited because of the increasing availability of Wi-Fi. These “Man-in-the-Middle Attacks” arise when a bad guy creates a network similarly named to what you’re looking for: Starbucks-wifi, AirPort-wifi, HamptonInn-Public, for example. Your internet traffic goes through the bad guy’s computer and you never know it. Recommended risk reduction: Connect your laptop to a Verizon Hotspot or tether it to your own mobile phone. (iPhone calls it “Personal Hotspot” found in Settings.)
Step 8: Grade yourself or—better—have someone else conduct a security audit.
Learn where you need to improve in the following areas: penetration testing, firewalls, email security, backup and disaster recovery, laptop encryption, portable data storage, metadata, password policy, workstation security, and physical building security.
Worth The Effort
Dedicating some time and resources to data security planning is well worth the effort. You want your company to have a culture of security and safety. Ask yourself: Are you doing all you can to protect your customers, stakeholders, and employees? It is their information and trust and your company’s reputation that are at stake.
Allan Tarleton
is a senior partner and attorney at The Van Winkle Law Firm in Asheville and certified by the International Association of Privacy Professionals (IAPP).
The original article is below. Click to open in fullscreen…