Protecting your data is like any other IT security challenge, it is about creating layers of protection. The idea of layering security is very simple: You CANNOT and SHOULD NOT rely on just one security mechanism, such as a password to protect something that is very sensitive to your business. If that security mechanism fails, you have nothing left to protect your information.
1. Inventory the Data You Want to Protect
Conduct an inventory of your data, so that you have a full picture of the data your business possess and or controls. It is essential t be able to see the complete invenstory of data, so that you don't overlook something that may be sensitive and could be exposed,
2. Identify and Protect Your Sensitive and Valuable Data
Data classification is one of the most important steps in data security. Not all data is created equal. Very few businesses have time or the resources to provide maximum data protections to all of their information, which is shy it is very important to classify your data based on how sensitive or valuatble it is to your business. You need to know what your most sensitive data is, where it is and how it is being protected.
Common classifications include:
Highly Confidential- this applies to the most sensitive business information. Its unauthorized siclosure could seriously and adversely impact your company. I would include items such as credit card transaction date, customer names and addresses, card magnetic strip contents, passwrods, PINS, employee payroll files, social security numbers, and similar data.
Sensitive: This classification applies to sensitive business information that is intended for use within your company, and information that you would consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and email marketing lists.
Internal Use Only: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful, the unlawful disclosure of the information is not expected to impact your company, employees, business partners, vendors and the like.
3. Control Access To Your Data
No matter what kind of data you have, you must control access to it. The more sensitive the data, the more restrictive the access. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so. Once you’ve classified your data, begin the process of assigning access privileges and rights – that means creating a list of who can access what data, under what circumstances, what they are and are not allowed to do with it and how they are required to protect it. As part of this process, a business should consider developing a straightforward plan and policy – a set of guidelines – about how each type of data should be handled and protected based on who needs access to it and the level of classification.
4. Secure Your Data
In addition to administrative safeguards that determine who has access to what data, technical safeguards are essential. The two primary safeguards for data are passwords and encryption. Passwords implemented to protect your most sensitive data should be the strongest they can reasonably be. That means passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them. Employee training on the basics of secure passwords and their importance is a must. Passwords alone may not be sufficient to protect sensitive data. Businesses may want to consider two-factor authentication, which often combines a password with another verification method, such as a dynamic personal identification number, or PIN. Some popular methods of two-factor identification include:
- Something the requestor individually knows as a secret, such as a password or a PIN.
- Something the requestor uniquely possesses, such as a passport, physical token or ID card.
- Something the requestor can uniquely provide as biometric data, such as a fingerprint or face geometry.
6. Encrypt Your Data
Another essential data protection technology is encryption. Encryption has been used to protect sensitive data and communications for decades, and today’s encryption is very affordable, easy-to-use and highly effective in protecting data from prying eyes. Encryption encodes or scrambles information to such an advanced degree that it is unreadable and unusable by anyone who does not have the proper key to unlock the data. The key is like a password, so it’s very important that the key is properly protected at all times. Encryption is affordable for even the smallest business, and some encryption software is free. You can use encryption to encrypt or protect an entire hard drive, a specific folder on a drive or just a single document. You can also use encryption to protect data on a USB or thumb drive and on any other removable media. Because not all levels of encryption are created equal, businesses should consider using a data encryption method that is FIPS-certified (Federal Information Processing Standard), which means it has been certified for compliance with federal government security protocols.
7. Back up your data
Just as critical as protecting your data is backing it up. In the event that your data is stolen by thieves or hackers, or even erased accidentally by an employee, you will at least have a copy to fall back on. Put a policy in place that specifies what data is backed up and how; how often it’s backed up; who is responsible for creating backups; where and how the backups are stored; and who has access to those backups. Small businesses have lots of affordable backup options, whether it’s backing up to the cloud, where your data is backed up automatically and ensuring that all your data is stored in remote and secure data centers.
Remember, physical media such as a disc or drive used to store a data backup is vulnerable no matter where it is, so make sure you guard any backups stored in your office or off site and also make sure that your backup data storage systems are encrypted.
NSK Inc is a Boston Outsourced IT Consulting Company. We can help your small business with all of its Technology needs. We are a proactive technology team working inside your organization.