News of data security breaches at one company or another has become so common that perhaps we are becoming immune to the significant impact these breaches can have on those whose information are affected. Not only can identity theft destroy an affected individual’s credit and limit his/her future buying choices, but also it is becoming clear that, philosophically, perhaps our private data really aren’t private anymore. Think of how easy it is to search public records online and find out personal details about a person well beyond what the phone book would have listed in days past. It is harder and harder to keep secrets when the Internet is involved.
Notwithstanding such developing immunity to the shock of a data breach at any particular company, data breaches are very serious events for a company – of any size. In the aftermath, it is not unusual to hear business executives announce that they “never want to go through that again.”
So, what can you do to minimize your company’s risk for data breach? Here are my top five recommendations:
- Hire the right people. Whether you rely on internal IT support staff or if you outsource to a third-party vendor, make sure you have the right resources in place to accomplish your goals. Discuss your expectations (particularly about data security) with these personnel at the beginning of the relationship and set realistic goals for achieving a secure system.
- Conduct the necessary due diligence. Before you hire that new IT security director internally or engage that new third-party vendor, be sure that they actually have the skills in place to accomplish the levels of data security you envision. Interview your candidates (whether individual or vendor) to determine that their services match your needs. Make sure you know what services you are signing up for. If you want a company to be actively testing your network for potential weaknesses, make sure that such services are covered by the fees you are paying; typically, they are more expensive than services that simply patch your existing software with newly-released security updates from the manufacturer.
- Pay Attention to Suspicious Conditions. Watch for signs that someone else may be making changes to your network. (For instance, user names and passwords suddenly not working, the appearance of new administrator accounts, system unavailability particularly for remote access, significant slowdown of processing speed during periods of regular use, etc.). Just like we are all being warned in public transportation venues that “if you see something, say something”, if you suspect that your data may not be secure, do not ignore that suspicion. Involve your IT personnel and be sure that you are effectively maintaining the security of your network.
- Update all Software as Recommended by the Manufacturer. Security patches are rolled out all the time, particularly after the manufacturer learns of potential weaknesses in security. If you keep your software updated with these patches as part of your regular routine, you decrease your risk of exposure. Same with anti-virus and anti-malware software: they are only as secure as that last update that was applied. Keep the virus and malware definitions up to date to reduce your risk of intrusion by known entities.
- Only Collect Information that You Absolutely Need. If you do not need access to customers’ credit card numbers, don’t ask for it. And, if you do need access, do not retain it any longer than necessary to complete the transaction. In particular, where credit card numbers are concerned, there are other regulations, standards and guidelines about what you can keep and for how long. See Payment Card Information Data Security Standards (“PCI DSS“) for more details. With respect to the data you decide to keep, maintain your sensitive data in encrypted form as much as you can to reduce the risk of third-party access. Once you decide not to maintain certain sensitive information any longer, be sure that you comply with federal, state and local laws governing the safe destruction of documents or electronic data that embody personally identifiable information (“PII”) or competitively sensitive data, such as trade secrets.
In general, businesses who are proactive about putting in place and maintaining effective data security protocols have a much better chance of avoiding the exposure that results from a data breach. Of course, there’s no guarantee that you might not be targeted by a malicious and very determined third party, but consider a thief’s potential options: (1) hack that network that is protected by multi-layer and multi-factor data security; or (2) walk through that open door provided by another company who is not managing their IT security effectively. If you were the thief presented with these options, wouldn’t you take the path that presents the least resistance? Don’t be the “open door.”