With a new decade comes new priorities. As a business owner, your employees’, customers’, and your company’s privacy must be top of that list. Already in 2020, news has hit about data breaches with Landry’s restaurant group, Microsoft, and the POS system used by many medical marijuana dispensaries. Don’t make yourself a target of a data breach or other attack. These are the five things you need to do right now to protect your company’s and customers’ privacy.
#1 – Identify What Needs Protection
Identify everything you handle that requires security. Go through all of the places you store information. Don’t forget to look at external hard drives, USB sticks, and filing cabinets. Talk to your employees to see what they’re holding.
Do you process credit or debit card transactions for your customers? Do you store contact information, SSNs, birth dates, or bank account numbers? Think of everything you handle, whether it’s submitted online or through a paper application, and jot it down.
Be careful that you’re not overlooking anything. You might think that a student ID number isn’t very useful, but it could be. You should also be safeguarding answers to security questions, places of birth, and other information that could be used for identification.
#2 – Do You Need All of That Information
Now that you have a full list of what you’re storing in filing cabinets, hard drives, portable drives, and the cloud, think about what you need to store. You probably need to keep contact information, but do you really need your customers’ birth dates? You could just as easily ask them to show ID when they’re claiming a birthday or senior discount.
For the information that isn’t critical to your business, dispose of it. Make sure you do this properly. Hard drives and other electronic devices must be cleared of data per federal law. If you’re still using the device that data is stored on, clearing data may be enough. If you want to make sure there’s no chance it could be recovered, you need to purge that information. For devices that have been sitting in a closet and are no longer used, they should be destroyed by a certified e-waste facility that provides the level of data destruction that your company needs.
Standard Compliance is your lower level and one that most companies need.
- Enhanced Compliance uses lockboxes, TSA certified drivers, and video verification (if desired) to ensure a chain of command from the time the equipment leaves your office.
- High Security Services are ideal for government, military, and other top-secret documents and electronics. In this case, the experts that destroy your data are U.S. citizens and undergo specialized training. Shredding follows NSA/CSS rules.
#3 – Set Strict Privacy Policies
Now that you’re down to the information you need, you need to come up with strict privacy policies. Write out what employees are allowed to access, how they go about it, what they can and cannot request of customers, and what they can and cannot do with computers. You may need to hold a meeting to go over the new privacy policy and leave time for your workers to ask questions.
Talk to your employees about how they are to handle things when they need to walk away from their desk or leave at the end of the day. They cannot just walk away and leave their screen open. They need to log out of things they were in and power down their computer or put it into a password protected hibernation.
Give everyone a copy of the policy to read over. Once they’ve read and understand it, they should sign a form stating so. If they don’t understand something, they must get clarification before they sign the form.
#4 – Secure What’s Left
Now that you have destroyed unnecessary data, you must secure the remaining information. Paper documents should be in locking file cabinets, a vault, or in a locked room. Only certain employees should be able to access the key or keys that unlock the room, vault, or cabinet.
You need to have a secure way to store the keys. Have a key holder who keeps the keys in a secure area. When authorized personnel request a key, it’s noted when and why. When the file that is removed is no longer needed, it immediately goes back to the room. It may be easier to get key cards that open doors. Only qualified employees can access the information, and their cards will be set up to allow them access and to record when they do. This also gives you a record of who last had a file if something goes missing.
Once these devices reach end of life, make sure the data on them is properly destroyed. Devices like copy machines, telephones, and scanners often contain records of data, as do more obvious devices such as computers, smartphones, and tablets.
#5 – Constantly Monitor Your Traffic
If you need to hire an IT expert, do so. You want someone who is constantly monitoring your systems for signs of hacks and breaches. Pay close attention to heavy activity from a new user or at odd times of the day or night. Look for information that’s being sent through your servers to an unknown user or user that doesn’t need the information being provided. Watch the log files for network activity to catch an attack or attempt quickly.
If there is a breach attempt or hack, your company needs to have a plan in place. You need to cut off access to that person, find out how they got in, and see if anyone in your company was responsible or helped in any way. You need to be ready to terminate an employee if it comes to it. The sooner you take action, the less damage that occurs. You must also report a breach or hack to authorities.
Security takes a lot of planning and expertise. Call in the experts if you need to. ERI Direct can help with IT and Electronics Asset Disposition and Data Destruction. We offer several levels of data destruction, so you’re certain to find the level that your business requires. Call our offices for more information keeping your company information secure.