The Meridian Blog: Tech News, Tips & More for SMB and Enterprise Environments

5 Key Principles for Data Security

Robert Bruce

Posted by Robert Bruce
Tue, Jul 21, 2015

The amount of digital information out there is mind boggling. 


A study by a group of scientists at the University of Southern California estimated that there have been about 295 exabytes, or 295 billion gigabytes of stored data worldwide since 1986.

I could type the full number out, but my zero key might jam. I don’t know about you, but my mind is boggled.

And keeping all that data secure is no easy task.

Whether you administer your own enterprise IT security or partner with a managed services provider, some basic principles of data security apply:

  1. Inventory your data
  2. Keep what you need
  3. Discard unneeded data
  4. Secure it
  5. Plan for the unexpected

Read on to learn more about each of these five principles. 

A slightly more detailed and also helpful PDF is available here for free from the Federal Trade Commission here.

1. Take Stock

You can’t protect what you don’t know you have. Find out what data your system contains and who has access to it. Start with all hardware — file cabinets, computers, laptops, flash drives, disks, copiers, smart phones, tablets, etc.

Coordinate with all departments — sales, IT, human resources, accounting, service, outside contractors, etc. — in order to get a big picture of just how much sensitive data and personal information your enterprise handles. This will help track the source of your data and who has access to it. Identify sensitive data that you may be required to provide reasonable security for under federal laws such as the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act.

A great and efficient way to accomplish this is through an assessment from a professional third-party, like Meridian. Click here to learn more about the assessment process.

RELATED: How to Ensure Your SMB is HIPAA Compliant

2. Keep What You Need

Don’t retain data unless you have a legitimate business need for it, and then keep it only as long as necessary. Sensitive identifying information such as Social Security numbers should only be used as required such as for tax reporting. Keep data such as credit card numbers in your system only as long as they are needed. If it’s not in the system it can’t be hacked.

If info must be kept long term for business or legal reasons develop a written retention policy to identify what must be kept, how to secure it, for how long, and how to eventually securely dispose of it.

RELATED: 5 Compliance Environments You Should Know About

5 key principles for data security - # 3: Lock It3. Lock It

Recognize these four elements of an effective data security plan:

  1. Physical
  2. Electronic
  3. Employee training
  4. Contractors and service providers

Physical security breaches can be as simple as unlocked file cabinets or doors. Require employees to put files away, log off their computers and lock doors. Implement access controls on a need to know basis. Encrypt sensitive information that must be handled or shipped through outside carriers or contractors.

Electronic security begins with identifying which servers or computers store sensitive data. Next, chart all connections to those devices such as the Internet, printers, scanners, smart phones, cash registers, etc. and assess their vulnerability. Web applications may be particularly vulnerable to hack attacks. Regularly run up-to-date anti-virus and spyware programs.

RELATED: Is Antivirus Software Really Dead in 2015?

Require employees to use strong passwords. Caution employees against transmitting personally sensitive data such as Social Security numbers, passwords, account information via email. Keep employees informed about company policies on data security. Create a “culture of security.”

Include contractors and service providers in the security paradigm and insist that they notify you of any security incidents.

RELATED: Your Biggest Threat to BYOD Security Could Be Your Employees

4. Dispose of What You No Longer Need

Paper trash should be shredded, burned or pulverized. Shredders should be located in the office near copiers and printers to allow for easy, convenient access and encourage use.

Old computers and storage devices should be securely erased using wipe utility programs. Other devices with hard drives or other storage capability, including multi-functional printers and copiers, should be disposed of, wiped, or returned to you for safe keeping, prior to the device being disposed of, returned to a leasing company, reallocated for different use(s), or sold. Employees who telecommute should follow the same procedures.

RELATED: 5 Best Practices to Avoid Common HIPAA Violations

5. Plan for the Unexpected

Have a security breach response plan in place. Designate a senior staff member to lead and implement it.

If a device is compromised, immediately disconnect it from your network and take steps to close off other vulnerabilities. Have a list of whom to notify both inside and outside the enterprise.

Keeping your organization's data secure can be difficult, but following these five key principles will help. Another important way to keep your data secure is to have an effective BYOD policy in place. Check out this Workbook to learn how to create and implement a BYOD policy to ensure your organization's data is secure.

 Click here to download a workbook for Creating a BYOD Policy

Robert Bruce

Ready to Become a Pro?

 Our White Paper can help.

whitepaper-4-key-elements-for-building-your-technology-road-map-thumbnail-3Subscribe to our blog and get your copy of "4 Key Elements to Consider When Building Your Technology Road Map"

You'll learn:

  • What role people play in determining your road map
  • How to build a plan in a multi-device world
  • What types of applications need to be considered
  • How data plays a key role in success


Subscribe to get your copy

Leave A Comment

About this blog

News, best practices and more to help you get the most out of your office technology. Whether you're an SMB owner who wears a lot of hats, or an enterprise IT director, facilities manager or just someone who wants to work smarter — this blog has the resources you need to maximize the business impact of all your tech investments. Be sure to subscribe to receive email updates about new posts!

Download our eBook