You need to collect information from your clients, applicants, and employees as an employer. The information could be names, credit card or other account data, Social Security Number (SSN), date of birth, medical records, and further crucial details provided during employment or business transactions. But once you gather the sensitive data, you are responsible for protecting it. Most businesses keep this sensitive personal information that identifies customers or employees in their files. This information is frequently required to fill orders, meet payroll, or perform other essential business functions. However, if sensitive data falls into the hands of the wrong people, it can lead to fraud, identity theft, and other negative consequences. Protecting personal information is good business because of the cost of a security breach—losing your customers’ trust and possibly even facing a lawsuit. Every organization needs to be proactive about its applicant and employee data security. Some companies may have the in-house expertise to implement an appropriate plan. Others may find it advantageous to hire a contractor. Regardless of the size or nature of your business, these six fundamental principles outlined will go a long way toward helping you keep your applicants, employees, and clients’ data secure. These five tips can get you started. TAKE INVENTORY Understand what personal information is in your files and on your computers. To do this, you must inventory all computers, laptops, flash drives, disks, home computers, digital copiers, and other equipment. No inventory is complete until you have checked every possible location where sensitive data may be stored. All employee data is important, but not all require the same level of security. You should segregate your employee data and classify it as public, private, or restricted. Create a policy stating that unauthorized transmission, copying, using, or viewing sensitive employee data can lead to disciplinary action. Get a clear picture of who sends sensitive personal information to your business—track personal details through your sales department, IT staff, human resources office, and accounting personnel. Pay particular attention to how you keep Social Security numbers, credit cards or financial information. Most often, thieves use that to commit fraud or identity theft. SIZING DOWN Only keep what you require for your business. Keep sensitive, personally identifying information only if you have a legitimate business need for it.
- Don’t even bother collecting it if you do not need it. Keep it only for the time required if you have a legitimate business need for the information.
- Use Social Security numbers only when necessary and for legal purposes such as reporting employee taxes.
- If your company develops a mobile app, be sure that the app accesses only the data and functionality that it needs. Do not collect and retain personal information unless it’s integral to your product or service. Remember, if you collect and keep data, you have to protect it.
- Do not keep customer credit card data except if a business needs it. Do not retain the account number and expiration date, except if you have a good business reason. Keeping this information—or keeping it longer than necessary—raises the risk that the information could be used to commit fraud or identity theft.
- Scale down access to data. Follow the “principle of least privilege.” That means each employee should have access only to those resources needed to do their particular job.
- Physical Security: Many data compromises happen old-fashioned through lost or stolen paper documents. Often, the best defence is a locked door or an alert employee. Require employees to put files away, log off computers, and lock their file cabinets and office doors at the end of the day.
- Electronic Security: Don’t store sensitive consumer data on any computer with an internet connection. Run up-to-date anti-malware programs on individual computers and servers on your network. Restrict employees’ ability to download unauthorized software. Web applications may be particularly vulnerable to a variety of hack attacks.
- Employee Training: A well-trained workforce is the best defence against identity theft and data breaches. Periodic training emphasizes the importance you place on meaningful data security practices. Educate your workforce on general file security practices and social engineering hacks. Train them to be mindful of security when they’re on the road, and require them to notify you immediately if there is a potential security breach, such as a lost or stolen laptop.
- Contractor and service provider security practices: Write your security expectations in contracts with contractors and service providers. Insist that they notify you of any security incidents, even if they weren’t actual threats to your data. Compare your company’s data security practices to those of the companies you’re outsourcing.