Data breaches are happening at a much more frantic pace than ever before. It seems like every day there is a public news announcement on a major company suffering from a data breach. Recently, large financial companies such as Capital One, services such as DoorDash, and even online gaming services such as Words with Friends have been victims of a data breach.
However, large companies are not the main target for cyber-criminals, it’s small to medium-sized businesses. Protecting your customer data is just as crucial as protecting your own, so for our final entry for National Cyber Security Awareness Month, we are going to cover the tasks you need to execute for a solid customer data security plan, compliance terms you need to know, and the impact of not following these procedures.
What makes up a good data security plan?
Keeping sensitive data as confidential as possible should be your highest priority as a business. According to the FTC, there are 5 key principles to protecting your customer’s data:
- Make a record of what Personally Identifiable Information (PII) you currently store for your business. This includes physical documents and digital files on a computer. Fully invest in how your customer information is stored, their level of security, and who has access to it. Take inventory of all devices that store information and of what kind of information is being stored. If you are holding credit card numbers, you need to be familiar with PCI Compliance. This is a set of standards for accepting credit card payments that was made to protect vendors against data breaches. Also, be aware that the amount of risk involved with different types of PII will vary so your attention to Social Security numbers, bank information, or other types of sensitive data is crucial.
- Keep only the data you need for your business. Don’t keep PII unless there is a business need for it. Always keep a close eye on who has access to the data that remains. If the individual’s job description does not fit the need to have access, do not grant them access. If you have to collect customer data, you must protect it at all times.
- Protect the PII that you keep. Make sure that you have an extensive plan for your physical security, electronic security, employee training, and third-party security practices (such as contractors and service providers). One of the most important aspects of that protection lies within employee behaviors. Your employees need to be trained and disciplined in protecting not only customer PII but internal private information could be the difference between safety and danger. Taking control of what data employee devices can access on their laptops and portable devices is highly important as well, particularly if you have a BYOD (Bring Your Own Device) policy.
- Securely dispose of any customer information that is not necessary for your business. Throwing away old documents is not enough. Thieves can go through your trash as get easy access to any confidential information that they can get their hands on. If you must dispose of anything that contains any private information, make sure it is shredded, burned, or destroyed to a point that it is unreadable. Hard drives on old computers, USB drives, and all hardware retaining PII must be securely wiped before being discarded by using a wipe utility program, as traditionally deleting files is not enough since the files may still exist on the drive after deletion.
- Have a plan ready for security incidents. Having a Disaster Recovery plan isn’t just about natural disasters. If any of your devices happen to be infected with malware, stolen, or suffer from a data breach, what are your options? If you do not have a plan for security incidents, you need to formulate one ASAP. Consult your IT department and administrators about determining who will coordinate and implement the plan you create. If a network-connected device is compromised, disconnect it from the network immediately.
What kind of impact could occur from not properly securing customer data?
- Downtime & Productivity Loss
- Legal Ramifications
- Fines (especially if you are in medical fields under HIPAA Compliance)
- Public View of the Company
- Potential Closure
Securing everyone’s personal data properly should be a top priority. It may not be convenient, but it is always the right thing to do when your private information is at stake.
neoRhino’s Security Awareness Team, certified IT consultants, and 24/7 helpdesk squad are here to help strengthen your online defenses. You can visit our homepage, see more about The War on CyberSecurity, or give us a call at (281) 779-4850, and we can manage your technology so you can manage your business.
