10 Tips for Preventing a Data Security Breach
Target's recent data breach affected some 40 million shoppers, highlighting the growing risk for businesses in a digital world. Computer failures, human error, employee wrongdoing and theft all can cause data breaches that compromise customer and company data. It is imperative that businesses adopt or update their data security measures and corresponding data breach response plans. Failure to do so can lead to lost customers and revenue, significant fines and costly litigation.
While a security policy must be tailored to an individual business, the following tips can help secure information and mitigate the impact of data breaches.
- Conduct a security audit.
Determine what information is in your possession, who has access to it and how it moves through your organization. Inventory your entire IT infrastructure — computers, network system, mobile devices, etc. — to determine where information is stored and which employees and vendors have access to it. Finally, understand how that information is received — by mail, email or website — and handled within the company.
- Minimize information.
Collect and keep only information required for legitimate business purposes, and only for as long as necessary. Develop a written records retention policy to identify what information must be kept and how to secure, keep and properly dispose of it.
- Educate employees about their role in information security.
Inform employees of potential threats to information and the legal requirements for securing it.
- Assign a coordinator.
Assign an employee to serve as an information security coordinator to oversee and coordinate the organization's security efforts.
- Implement clear security policies.
Clear policies will help guide employees on the proper use of information and create a more secure environment. Guidelines should include the following measures —
- Allow access to sensitive employee or customer data only to those employees whose positions require access to the data; prohibit other employees from unauthorized access, use or disclosure of the data. Store hard copy records in secured, locked locations and limit access to authorized personnel.
- Require employees to put away files, log off computers and lock file cabinets and offices when leaving the office.
- Require employees to store laptops and other mobile devices in a secure place.
- Direct employees to give NO security information over the phone.
- Implement appropriate access controls for your building, and advise employees what to do and whom to contact if an unfamiliar person appears on the premises.
- Require the use of multiple, unique passwords on computers and any personal devices used for work purposes.
- Implement an effective system for retrieving information from departing employees and vendors/contractors at the end of their relationship with the company.
- Require that employees and vendors/contractors promptly report any potential data security breach to the company.
- Impose disciplinary measures for security policy violations.
- Employ policies outlining the proper disposal methods for data.
- Encrypt collected data.
Encryption enhances security by making it more difficult for unauthorized parties to read lost or stolen data.
- Use multiple technologies to secure information and detect breaches.
Thwart sophisticated hackers with multiple layers of security technology. Ensure all company devices — desktop computers, mobile devices, file servers, mail servers, digital copiers, etc. — are protected by firewalls and up-to-date anti-virus and anti-spyware programs. Create a system for detecting breaches. Monitor traffic and create a central log of security-related information to alert you to suspicious activity on your network.
- Back up your information.
Ensure data is properly backed up so it can be recovered if needed.
- Test your security system regularly.
Conduct periodic tests and audits of security measures — especially connections commonly used as gateways for attacks — and make appropriate adjustments. Depending on the circumstances, proper measures may range from a simple security scan to an independent professional security audit.
- Adopt a data breach response plan.
Appoint a senior staff member to coordinate and implement the response plan. Data breaches should be immediately investigated and existing vulnerabilities blocked to prevent further threats to information. Determine whom to notify in the event of a breach, such as consumers, law enforcement, customers, credit bureaus and other businesses that may be affected by the breach. Consult any applicable state and/or federal laws or guidelines addressing data breaches.
Data security is a complex and increasingly important task for all types of businesses. While the first step is to craft a data security policy, it will only be effective if employees are trained on how to implement and follow it. WeComply's online training courses on US Data Privacy and Security, Information Security and HIPAA Privacy and Securityare designed to help companies ensure that employees appreciate the importance of theirrole in data security.
Categories: Data Privacy & Security
Tags: HIPAA Privacy and Security, Information Security, US Data Privacy and Security