A business having personal information of customers on file is a double-edged sword. Information such as name, address, social security number, credit card details etc. which identifies customers, contractors, suppliers and also employees are essential to the business for routine tasks such as payrolls, order taking and invoicing, inventory etc. As long as this information is secure, it will provide all the data necessary for smooth business operations.
However, business should continuously ask themselves what happens if sensitive information is compromised? The consequences are disastrous. Unfortunately, many businesses do not pay enough attention to data security. Even large multi-billion dollar corporations are susceptible, with Target Corp being a prime example of massive data theft. Not only did it cost Target goodwill, they saw a precipitous drop in business as wary shoppers went elsewhere. Putting safeguards in place adds to the cost of doing business, but it is a worthwhile and essential expense.
While big business may have the staff and resources to pay attention to the issue of data and information security, smaller businesses my not. In such cases, outsourcing security may have to be resorted to. This is not a “nice to have” function but an essential one.
Data protection – Crucial and Vital Steps
- The first step to protecting data is to understand what data is in a business’ possession. Sources of data are many and the type of data collected is varied. As a result, what looks simple on paper may be more complex than imagined. Understanding all the data possessed is not straightforward. A careful study should be done to find out what data is sensitive and has to be protected. This can be done by evaluating the data that is stored by a business in its files and databases. By assessing what information is available in business systems and who has access to it, is the starting point of data security. Remember, data can be both physical (paper) or electronic.
- Make an inventory of all devices on which data is stored, both as soft or hard copies. Even personal devices such as smart phones, laptops, home based systems etc. should be taken into account.
- Get a complete picture of the data information by eliciting information from your entire organizational structure such as sales department, IT Staff, human resources, accounts, vendors, suppliers, contractors etc.
- Some types of data are more sensitive than others. Information such as Social Security number, credit card information etc. are what thieves are after and extra precautions should be taken to prevent loss of this data
- Get rid of all data which is not essential to the business. Delete all data that is time expired or irrelevant. When only relevant data is stored, it becomes that much easier to protect.
- Sensitive information such as social Security numbers should only be used for purposes mandated by law and not as employee/customer identification numbers.
- By law, all businesses have to give truncated credit/debit card receipts. Only up to five digits of the card can be identified. The expiration date of the card should not be shown on the receipt.
- Delete all customer credit card information if it is not needed for business purposes. This should be done in a secure manner. For example, credit card slips should be shredded using either a professional service or a cross cut shredder. Shreds should be disposed of properly.
- Change the default settings on software to ensure that unnecessary information is not stored permanently.
- Develop a Standard Operating Procedure to ensure that any data information stored for the purpose of the business or to comply with legal requirements is done in a safe manner and can be accessed only by authorized personnel. Standard Operating Procedures (SOP) should be developed and employees should be trained on these.
- The information that is kept on file should be protected by using robust security measures. Only authorized personnel should have access to such information. Storage should be locked and there should be a system in place that tracks who has access and who has accessed files.
- Keep all hard copies containing personal data in a locked room, filing cabinet or safe. Access should be rigorously controlled and monitored.
- All files should be kept under lock and key and only those that are in use by authorized personnel should be taken out. Even so, they should always be under the control of authorized people.
- All employees should be trained to securely store such data and not leave it lying on their desks at the end of the day.
- Ensure there is access control to the building, especially to sensitive areas. Any unfamiliar person should be reported to security.
- If an offsite storage facility is used, limit those who have access to such data to the minimum. SOP should be in place on who is authorized and who has accessed the data.
- if sensitive data is shipped using outsiders, then it must be encrypted (or locked) before dispatch and an inventory of data sent must be maintained. Use a delivery service which allows tracking of the shipment.
By planning ahead and anticipating the security needs of the organization as it grows, it is possible to have a fool-proof security plan for protecting data.
Electronic Data Storage – Security
Oftentimes, all security of networks and data are left to the IT staff. While they do have the expertise, it is good practice for management to have regular reviews with IT staff. They should question processes and procedures in place, solicit ideas and ensure necessary tools and resources are available. Jerry rigging to save money will give proportional results – a vulnerable system. It is also a good idea to have an outside expert do a complete audit on systems in place. Outside experts bring expertise not available internally plus the added benefit of being able to question sacred cows in an organization.
Factors to be Considered for General Network Security
Network security poses a constant challenge to both IT staff and management alike. Since networks are dynamic, change is an ever present constant. Careful attention paid has a positive multiplier effect on businesses.
- Identify all computers and servers in the system which store customer data.
- All access to such systems should be identified. This may include electronic cash registers, Internet, data submitted to Branch officers, computers used by other service providers, handheld devices like smart phones, tablets etc.
- The vulnerability of each connection should be assessed and proper security checks have to be put in place.
- Avoid storing sensitive consumer data on any system with an Internet connection, unless it is essential for business needs.
- Any information being sent to third parties should always be encrypted. This procedure should ideally be followed even when sending sensitive data within the organization.
- Ensure that individual computers and servers are regularly scanned by using anti-virus and anti-spyware programs. Such programs should be up to date at all times.
- Restrict employees from downloading unauthorized software using any of the organization’s computers or servers. Policies forbidding such practices should be clearly communicated to each employee. Training is also advised.
- Unneeded software or services should be disabled or deleted.
- When credit card information is transmitted or received, then Secured Socket Layers [SSL] or any other such secure connection should be used. Open lines can cause breach of security.
- Use firewalls, anti-spyware, anti-virus programs etc. to ensure security .
- If wireless and remote access is used, restrict access of such devices to your computer network to essential personnel.
- Ensure encryption of data before being transmitted by a wireless device.
Management of passwords
Password management is a major issue in most organization – even large organizations grapple with this. Constant vigilance is required.
- Ensure access to sensitive data can be done only by an employee who uses a ‘strong’ password. Experts in the field of security opine that the longer the password the more secure it is. Employees should be warned not to have passwords such as children’s names or easy to guess ones. Stronger longer passwords are preferable but should never be written.
- The business should have a strong policy against employees sharing passwords or writing it down in an accessible place. This has to be constantly enforced.
- When any computer is inactive for a period of time, then password activated screensavers should be activated.
- All employees should be warned against disclosing passwords over phone. An employee should disclose his password to an IT staff only on a written request. It would be safer if the written request be signed by at least two authorized people. Data thieves posing as IT staff are known to get passwords over the phone from unsuspecting employees.
- When new software is installed, immediately change all default passwords.
- It should be the company policy to never transmit sensitive identifying data without encryption.
Laptop security against physical loss and data theft
Lost, misplaced or stolen laptops, tablet, smart phones are a constant source of worry for IT staff. Unfortunately many employees store sensitive information including passwords on them. Once a thief steals a device, they have immediate access to networks. Unfortunately, thefts are not always reported immediately giving thieves ample time.
- Restrict the use of laptops on a ‘need to’ basis.
- Unless absolutely necessary, do not permit sensitive information to be stored on a laptop.
- Laptops should be stored in a secure place.
- It would be safer if laptops can only be used to secure sensitive information but not to store it. This can be done by using the central server to store the information with laptops functioning as terminals to access the information.
- In case a laptop contains sensitive data, ensure the data is encrypted. Prevent any software from being downloaded or the security settings being changed. Install an ‘auto-destruct’ function, so that in the event of a laptop being stolen, the data will self-destruct and not be available to a thief.
A checklist for achieving data security
There are laws such as the Federal Trade Commission Act, the Fair Credit Reporting Act etc. that provides reasonable data security requirements. This checklist will help you assess your current scenario and what steps need to be taken to ensure data security.
- What are the sources of personal information that you receive? Customers, banks or financial institutions, credit card companies, employees, job applicants, suppliers, contractors etc. Make an exhaustive list.
- How does your business receive data?
- Does it come to your site? Is it via a website, e-mail, cash register in stores, mail etc. Every avenue from which you receive personal data should be identified.
- What type of information is collected at first point of contact?
- List data information such as credit card information, bank details, cash transactions etc.
- Where do you store information collected from first point of contact?
- Central computer database, laptops, employees smart phones, tablets or any other mobile device, disks/tapes, filing cabinets, branch offices or at employee homes etc. This list should be through and the reason for storing in each site should be determined.
- Who has access [even possible unauthorized access] to such information?
- List in detail anybody in your organization who has access to this information. The access may be authorized or even non-authorized, but it should be listed. The list should contain even those who may not work for your organization, but are associated directly or indirectly, such as contractors, vendors, suppliers etc.
- Is there a procedure to disable access to all company databases and networks when an employee leaves? Smaller organizations that have few HR staff are particularly vulnerable to this problem. No one deactivates accounts and this state may continue for months or weeks before action is taken. A checklist for this purpose should be developed and responsibilities assigned.
Detecting a Security Breach
Detecting a security breach is not n easy task. While prevention is better, this scenario should also be contemplated and measure should be in place to counteract.
- Install an intrusion detection system to ensure that a security breach is known in real-time.
- A central log of security related information should be maintained to monitor activity on the company’s networks. By using such a log, it will be possible to determine which computers have been affected by the security breach.
- Carefully monitor incoming traffic to check for signs of possible hackers. Attempted multiple logins, unknown users and computers etc. should raise a ‘red flag’ of suspicion and it has to be investigated immediately. At the very least, multiple login attempts should lock out a device. Restoring access should follow a standard procedure.
- Similarly monitor outgoing traffic. If large amounts of sensitive data are being transmitted, immediately check to ensure that such transmission is authorized.
- Develop a Standard Operating Procedure for response to a data breach. All employees should be suitably trained for handling data breaches.
Employee Recruitment and Training
A security plan can only be successful if the employees are informed and adhere to processes wholeheartedly. Staff should be trained so that they can identify possible weak spots in the system. They should also be alert to possible security breaches and to take action immediately. To ensure that staff is security conscious; they should be given training at regular intervals. For a business to have a well trained and motivated workforce, proper procedures and policies should be in place from the moment an employee is hired.
- Do background checks before hiring an employee who will have access to sensitive data. Theft from within is oftentimes more pernicious that from outside. They have intimate inside knowledge.
- All employees should sign the company’s confidentiality and security policy.
- For handling personal and other sensitive data, give access to employees only on a ‘need to know’ basis.
- When an employee leaves the company or is transferred to another section, they should not be allowed access to sensitive information. Ensure that the passwords are barred; keys of storage cabinets etc. returned and all identification and access control cards are handed in. Make this a part of the check out procedure.
- Make all employees security conscious through regular training. When new risks are found ensure all employees are updated. Training for employees should not be limited to the central office only, but should involve employees from all branch offices as well.
- Employees should be trained to detect security breaches immediately. There should be a Standard Operating Procedure as to how such suspicions are reported and what action is to be taken.
- All employees should be aware of the company’s policies regarding confidentiality and security of sensitive information.
- Employee should be aware of the dangers of phishing. There should be a system where any e-mail requesting sensitive information should be cross checked before being released.
- Disciplinary action should be initiated against any employee who violates security protocols.
Security Policies – Contractors, Vendors, Suppliers and non-employees
Protecting data security when dealing with non-employees is paramount. All it takes is a single outsider to get access to sensitive information to create major havoc for any organization. Edward Snowden set a dubious standard and in many ways has sensitized people to security. Unfortunately lessons learned fade with time. Thus constant vigilance should be practiced.
- Before outsourcing any of the business function, check the parties security practices. Compare the policy with your company policy and see if they match your standards. Visit the facilities to ensure that they follow the security policy in letter and spirit. Discusses all issues and what you expect upfront to avoid surprises.
- Before signing a contract, ensure that security issues and how they should be handled, are part of the contract.
- Insist that any and all security incidents they experience be bought to your attention immediately.
Secure Disposal of Redundant Data
If any data is unnecessary it should be safely disposed of. An employee should not be under the impression that since the data is not required further, it can be cast aside without precautions. This will be a bonanza for an identity thief. When such data is disposed of, it should be such that it cannot be read or reconstructed in any way.
Some of the safe disposal practices to be followed are:
- Have a written policy on how redundant data is to be disposed of.
- Paper records should be destroyed by shredding, burning etc. Paper shredders (or locked disposal units) should be provided at all strategic places in the organization.
- Ensure that all data is fully and permanently erased from old computers, portable storage devices etc. before disposal.
- Disposal procedures should apply to employees who work from home too.
- Remember, if your organization uses credit reports for business purposes, you may be subject to the provisions in FTC’s disposal rule.
By having a good security plan in place, the organization can be insulated against loss of sensitive data. Time, money and training should be invested to ensure that all employees are security conscious and will respond to any security breach, or attempted security breach, in the proper manner. By protecting sensitive data, you will not only retain the goodwill of your customers, you will also protect yourself from potential lawsuits alleging negligence on your part.
Several sources of information were used for this article.
- Wikipedia – http://en.wikipedia.org/wiki/Data_security
- Federal Trade Commission – http://www.business.ftc.gov/privacy-and-security/data-security
- Federal Trade Commission – http://www.business.ftc.gov/privacy-and-security
- Business Data Networks and Security (10th Edition)Hardcover– September 20, 2014
- Small Business Administration – https://www.sba.gov/…/4-ways-safeguard-and-protect-your-small-business
- Small Business Administration – https://www.sba.gov/content/privacy-law
- Small Business Administration – https://www.sba.gov/…/how-small-businesses-can-protect-and-secure- customer-information
- Small business Administration – https://www.sba.gov/…/developing-mobile-app-follow-these-12-tips- protecting-and-securing-user-data
The contents of this article are for information purposes only. Businesses are advised to seek professional assistance depending on circumstances. No warranties implied or otherwise ae made.