You are probably well-aware of the massive impacts data breaches can have on a company and the resulting fallout is something that causes irreparable damage to many. While plans for reducing the impact of a breach are good things to have, we believe prevention is a much more cost-effective method.
Legal and Cost Benefits
These measures are often very cheap to implement. Some require education of personnel, while others make use of already built-in software features. Compliance with these new methods will primarily demand willingness on behalf of the employees and careful planning, but once implemented, they are not too demanding.
Furthermore, these methods are excellent for demonstrating compliance with the data security and privacy regulations, such as the new EU regulation, the General Data Protection Regulation. Since legislation such as the GDPR demand the implementation of certain changes, you could use this opportunity to strengthen the existing data safety policies or implement new ones if you already haven’t.
Roles & Responsibilities
The first step to data security is ensuring that all employees’ roles are clear when it comes to handling data security. If your organisation is not required to appoint a Data Protection Officer, a similarly educated employee or an outside consultant should appoint the appropriate roles, with regards to ensuring a clear definition of everyone’s duties.
Strict Planning
The more crucial the data, the stricter this planning must be. For high-risk data, you should appoint a security officer (this is mandatory under the GDPR as well). Clearly appoint the security tasks to each individual, and review the policies after an employee is terminated or after a reorganization. You should segregate duties that potentially clash. A security auditor should not be a DPO at the same time, for example.
For sensitive data, you can require the employees to sign non-disclosure agreements to prevent leaking of such data (or, at least, if something goes wrong, you have the means to sue or terminate the offender). Evaluate all employees working with sensitive data for potential conflicts of interest.
Minimise or eliminate the number of employee roles with excessive data rights. It’s an accident waiting to happen, and a risk you should not take. Revise these policies regularly.
Workplace Policies
At the minimum, you should ensure that employees aren’t able to bypass your security measures, such as log-in requirements or similar. People can be very creative, so try to prevent this behaviour by making access policies and other security measures as unobtrusive as possible.
For example, set your anti-virus software to auto-update seamlessly. Workers can get annoyed with regular pop-ups and then disable the features altogether out of frustration. You should implement automatic log-off timers to prevent someone unauthorised to access data on an unattended computer.
Careful with Sensitive Data
When working with high-risk data, ensure that personal data from these PCs is never transferred on elsewhere. This includes copying the data to DVDs, flash drives and similar. Such data leaks often occur, and are difficult to detect.
Do not connect such PCs to the Internet if possible, either, and consider encrypting the drives. Sensitive data should be encrypted if it is being transferred via online channels – such as when a customer is sending their payment data.
Consider enacting two-factor authentication for the employees’ mobile devices, and ensure that remote deletion of data from a device is possible in case of theft. Of course, document all the devices and train the employees as to rules for their use. This will markedly reduce the risks presented by device theft and residual data.
Biometrics is an enticing solution, but it brings a host of privacy issues itself.
BYOD
Bring your own device policies are adored by employees, but they make access controls and data fencing difficult. It can be very challenging to ensure a satisfactory degree of data security when employing BYOD. This is doubly so for sensitive data. In most cases, a thorough implementation of BYOD will require dedicated tools and management software.
The issue is twofold: The GDPR requires companies to know the whereabouts of their data at all times, which is difficult when the devices are employee-owned, and when a breach occurs, it is more challenging to contain it. They are also more likely to occur.
However, the productivity benefits could outweigh the potential data security risks, which can be minimised through careful policy design.
For more information about the impact of BYOD on data security, read more here and here.
Access Controls
This section covers both software-based access controls and physical access controls.
You should ensure that your IT infrastructure is not accessible by unauthorized personnel. Consider placing your servers in a safe, locked room where only those who need access can get inside. For sensitive data, consider logging every access attempt. Alarm systems can also be useful. Consider the installation of a UPS system for your servers.
Any visitors or external support teams should get clear ID cards or badges that clearly identify them. If you’re operating a larger company or organization, this applies to the employees too.
Stringent Authentication
Before processing any kind of data, make sure to implement an access control system. Each user should get an account with appropriate permissions to access only those types of data that are strictly necessary. Require the passwords used to be of certain complexity (e.g. 12 characters minimum with a mix of uppercase and lowercase letters, symbols and numbers), again depending on the level of access. For sensitive data, make sure the employees change their passwords regularly. The best way is to implement a password expiry system.
For best security, we recommend two-factor authentication, such as security tokens, fingerprint scanner or similar. Make sure not to allow too many users to have excessive access rights. Keep access to sensitive data to a minimum. That way, you are proactively reducing the number of ways a data breach could occur. Passwords should generally be kept in hashed form, and no one should be able to read passwords in raw format.
Conclusion
The best method of dealing with data breaches is not to have one in the first place. Sound organisational measures and common-sense policies can dramatically increase security and reduce your risk of data loss or breaches that often result from negligence or oversights. By implementing those measures and regularly evaluating their adoption, you are also demonstrating compliance with most privacy regulations, including the dreaded GDPR. But you should not be doing it just for the sake of a law; you should be doing it for the sake of your own company.
