You need to collect information from your clients, applicants, and employees as an employer. The information could be names, credit card or other account data, Social Security Number (SSN), date of birth, medical records, and further crucial details provided during employment or business transactions.
But once you gather sensitive data, you are responsible for protecting it. Most businesses keep this sensitive personal information that identifies customers or employees in their files.
This information is frequently required to fill orders, meet payroll, or perform other essential business functions. However, if sensitive data falls into the hands of the wrong people, it can lead to fraud, identity theft, and other negative consequences.
Protecting personal information is good business because of the cost of a security breach—losing your customers’ trust and possibly even facing a lawsuit. Every organization needs to be proactive about its applicant and employee data security.
Some companies may have the in-house expertise to implement an appropriate plan. Others may find it advantageous to hire a contractor. Regardless of the size or nature of your business, these six fundamental principles outlined will go a long way toward helping you keep your applicants, employees, and clients’ data secure. These five tips can get you started.
- Take Inventory
- Size Down
- Secure It
- Scrap It
- Restrict Access
- Plan Ahead
Understand what personal information is in your files and on your computers. To do this, you must inventory all computers, laptops, flash drives, disks, home computers, digital copiers, and other equipment. No inventory is complete until you have checked every possible location where sensitive data may be stored.
All employee data is important, but not all require the same level of security. You should segregate your employee data and classify it as public, private, or restricted. Create a policy stating that unauthorized transmission, copying, using, or viewing of sensitive employee data can lead to disciplinary action.
Get a clear picture of who sends sensitive personal information to your business—track personal details through your sales department, IT staff, human resources office, and accounting personnel. Pay particular attention to how you keep your Social Security numbers, credit cards, or financial information. Most often, thieves use that to commit fraud or identity theft.
Only keep what you require for your business. Keep sensitive, personally identifying information only if you have a legitimate business need for it.
- Don’t even bother collecting it if you do not need it. Keep it only for the time required if you have a legitimate business need for the information.
- Use Social Security numbers only when necessary and for legal purposes such as reporting employee taxes.
- If your company develops a mobile app, be sure that the app accesses only the data and functionality that it needs. Do not collect and retain personal information unless it’s integral to your product or service. Remember, if you collect and keep data, you have to protect it.
- Do not keep customer credit card data except if a business needs it. Do not retain the account number and expiration date, except if you have a good business reason. Keeping this information—or keeping it longer than necessary—raises the risk that the information could be used to commit fraud or identity theft.
- Scale down access to data. Follow the “principle of least privilege.” That means each employee should have access only to those resources needed to do their particular job.
Protect the information you keep and regularly evaluate electronic systems to prevent security compromises by viruses and new technology. Electronic records need encryption, password protection, and storage on a secure server. For paper records, ensure lockable storage location and designate access to staff with legitimate business needs.
The most compelling data security plans address four key elements: physical security, electronic security, employee training, and contractor and service provider security practices.
- Physical Security: Many data compromises happen old-fashioned through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee. Require employees to put files away, log off computers, and lock their file cabinets and office doors at the end of the day.
- Electronic Security: Don’t store sensitive consumer data on any computer with an internet connection. Run up-to-date anti-malware programs on individual computers and servers on your network. Restrict employees’ ability to download unauthorized software. Web applications may be particularly vulnerable to a variety of hack attacks.
- Employee Training: A well-trained workforce is the best defense against identity theft and data breaches. Periodic training emphasizes the importance you place on meaningful data security practices. Educate your workforce on general file security practices and social engineering hacks. Train them to be mindful of security when they’re on the road, and require them to notify you immediately if there is a potential security breach, such as a lost or stolen laptop.
- Contractor and service provider security practices: Write your security expectations in contracts with contractors and service providers. Insist that they notify you of any security incidents, even if they weren’t actual threats to your data. Compare your company’s data security practices to those of the companies you’re outsourcing.
Properly dispose of what you no longer need. What appears like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers with personally identifying information in a dumpster facilitates fraud. When properly disposing of sensitive information, you ensure it cannot be read or reconstructed.
Implement reasonable and appropriate information disposal practices to prevent unauthorized access to or use of personally identifying information. Practical measures for your operation are based on the sensitivity of the data, the costs and benefits of various disposal methods, and technological changes.
Shred, burn, or pulverize paper records before discarding them. Use data erasure software, also known as wipe utility programs, when disposing of old computers and portable storage devices. They are less expensive and can produce better results by overwriting the entire hard drive.
As a small or large business, your company needs strong computer security to protect sensitive employee data. The first step toward a strong computer security system is to restrict system access by installing a firewall which will help block unauthorized access, while a proxy server allows you to control and limit internet access.
A properly configured firewall makes it more difficult for hackers to locate your computer and gain access to your programs and files—limiting who can use a wireless connection to access your computer network.
Deleting files using keyboard commands isn’t sufficient; data may remain on the laptop’s hard drive. If the computer contains sensitive data, encrypt and configure it so users can’t download any software. Encrypt the information you send over your wireless network so those nearby attackers can’t eavesdrop. Install patches and updates regularly because outdated operating systems and software make your company more vulnerable to cyber threats
Finally, create a checkout policy to block computer access and terminate passwords when an employee leaves your company.
Create a plan for responding to security incidents. Data breaches can happen, but there are ways you can reduce the impact on your business, employees, and customers by protecting personal and sensitive information from potential cyber-breach risk.
If a computer is compromised, disconnect it from your network immediately and take steps to close existing security holes.
Think about who should be notified in the event of an incident, both inside and outside your organization. Many states and federal banking regulatory agencies have data breach laws or guidelines.
Remember, data portability is an important requirement for all businesses because unauthorized guests in your network may cause severe damage to your data, deleting and stealing any data they wish. This is why you need to minimize the potential for such losses by keeping your clients, applicants, and employees’ data secure by following these steps.