In every business entity, there is some information that is considered to be of sensitive nature. This includes employee and customer data. To keep such information safe, the following simple steps will come in handy:
Take an inventory of all data capture and storage assets You can take stock of information assets in the following five ways:
i. Know which equipment helps in data capture
By having an in-depth knowledge of all your information assets and the way you access it, you will be in a perfect position to know areas where you are vulnerable. Take inventory of computers, servers, disks and flash drives. Include in your stock list cell phones and laptops. You also need to know all employee email addresses including those of employees who have recently stopped working with the company.
ii. Interview people who handle information
Form a habit of seeking for updates from personnel in human resources, accounts and customer service as well as those in IT. Customer feedback can also be a good source of business information. Out of such briefings, you can get to find out where sensitive data comes from. It could be from customers, call centers, banks, credit card companies and contractors.
iii. Analyze forms of data flow
Business forms will help you understand the way sensitive data is transmitted to your company. Define which data comes in through your company’s website, emails, and postal mail. On the other hand, find out the kind of information each of these sources transmits. It could be customer checking account numbers or credit card information.
iv. Investigate data accessibility
This involves knowing which people can and do access company data. Find out whether every employee can access any data or there are restrictions. Query whether software and data equipment vendors can be able to access credit card information or transactions. Where your business works with outsourced contractors, find out what their security clearance levels are.
v. Revisit data storage processes
Data comes in different ways each posing its own risks. You need to pay keen attention to the ways your business handles personal information such as identification card numbers, credit card numbers, bank details and other financially related information. Ask yourself the extent to which such data can be used to facilitate theft.
Protecting customer and employee data helps maintain their integrity and that of your business. As a rule of thumb, always keep only the data that you need. Get rid of unwanted data by:
There is absolutely no need to gather personal information if it will be of no use to your business. Soon after gathering information of any nature, ensure that there are defined ways of storing, archiving, protecting and disposing it off. Avoid gathering data just for the sake of it. Review data collection forms and revise them on a regular basis such that they always remain relevant.
If there is no justification for retaining information, do not retain it. By keeping such sensitive data with you, it creates opportunity for fraud. Archive what you need and dispose the rest.
iii. Changing software defaults
At times, you might be using software whose default settings store any data captured permanently. Check these settings and adjust them accordingly.
iv. Ensuring compliance
Your company must be compliant with existing security and privacy requirements as recognized by law.
v. Defining retention requirements
If there is a requirement for you to keep personal and business information, do so under the guidance of a record retention policy. The policy must state the type of information, how long it must be kept, who can access it and ways of disposal upon redundancy.