The amount of digital information out there is mind boggling.
A study by a group of scientists at the University of Southern California estimated that there have been about 295 exabytes, or 295 billion gigabytes of stored data worldwide since 1986.
I could type the full number out, but my zero key might jam. I don’t know about you, but my mind is boggled.
And keeping all that data secure is no easy task.
Whether you administer your own enterprise IT security or partner with a managed services provider, some basic principles of data security apply:
- Inventory your data
- Keep what you need
- Discard unneeded data
- Secure it
- Plan for the unexpected
Read on to learn more about each of these five principles.
A slightly more detailed and also helpful PDF is available here for free from the Federal Trade Commission here.
1. Take Stock
You can’t protect what you don’t know you have. Find out what data your system contains and who has access to it. Start with all hardware — file cabinets, computers, laptops, flash drives, disks, copiers, smart phones, tablets, etc.
Coordinate with all departments — sales, IT, human resources, accounting, service, outside contractors, etc. — in order to get a big picture of just how much sensitive data and personal information your enterprise handles. This will help track the source of your data and who has access to it. Identify sensitive data that you may be required to provide reasonable security to comply with federal laws such as the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act.
A great and efficient way to accomplish this is through an assessment from a professional third-party, like Meridian.
2. Keep What You Need
Don’t retain data unless you have a legitimate business need for it, and then keep it only as long as necessary. Sensitive identifying information such as Social Security numbers should only be used as required such as for tax reporting. Keep data such as credit card numbers in your system only as long as they are needed. If it’s not in the system it can’t be hacked.
If info must be kept long term for business or legal reasons develop a written retention policy to identify what must be kept, how to secure it, for how long, and how to eventually securely dispose of it.
3. Lock It
Recognize these four elements of an effective data security plan:
- Employee training
- Contractors and service providers
Physical security breaches can be as simple as unlocked file cabinets or doors. Require employees to put files away, log off their computers and lock doors. Implement access controls on a need to know basis. Encrypt sensitive information that must be handled or shipped through outside carriers or contractors.
Electronic security begins with identifying which servers or computers store sensitive data. Next, chart all connections to those devices such as the Internet, printers, scanners, smart phones, cash registers, etc. and assess their vulnerability. Web applications may be particularly vulnerable to hack attacks. Regularly run up-to-date anti-virus and spyware programs.
Require employees to use strong passwords. Caution employees against transmitting personally sensitive data such as Social Security numbers, passwords, account information via email. Keep employees informed about company policies on data security. Create a “culture of security.”
Include contractors and service providers in the security paradigm and insist that they notify you of any security incidents.
4. Dispose of What You No Longer Need
Paper trash should be shredded, burned or pulverized. Shredders should be located in the office near copiers and printers to allow for easy, convenient access and encourage use.
Old computers and storage devices should be securely erased using wipe utility programs. Other devices with hard drives or other storage capability, including multi-functional printers and copiers, should be disposed of, wiped, or returned to you for safe keeping, prior to the device being disposed of, returned to a leasing company, reallocated for different use(s), or sold. Employees who telecommute should follow the same procedures.
5. Plan for the Unexpected
Have a security breach response plan in place. Designate a senior staff member to lead and implement it.
If a device is compromised, immediately disconnect it from your network and take steps to close off other vulnerabilities. Have a list of whom to notify both inside and outside the enterprise.
Keeping your organization's data secure can be difficult, but following these five key principles will help. Another important way to keep your data secure is to have an effective BYOD policy in place. Check out this Workbook to learn how to create and implement a BYOD policy to ensure your organization's data is secure.