September of this year, Facebook experienced a data breach that left 50 million user accounts vulnerable to being taken over, with an additional 40 million at-risk. This was neither the largest, nor the most serious, data breach in recent memory, but it led to a loss of $13 billion USD in stock prices alone and, with the newly enacted EU General Data Protection Regulation beginning 25 May 2018, they could face heavy fines – 4% of annual global turnover or €20 million, whichever is greater – if they are found to have not properly managed their data.
In short, protecting customer data is more important than ever. Whether you’re protecting your data yourself or relying on software providers to protect it on your behalf, it’s important you know the best practices for keeping data secure.
The cloud isn’t a physical space where data is stored, but many data breaches are caused by lax physical security. Whether it’s a contractor picking up and plugging an errant USB drive into a laptop while connected to the company network, or an employee holding the locked office door open to a stranger dressed in a delivery uniform, there are many ways the people involved in your business can lead to a data breach.
When evaluating your own security, or the security of your vendors, keep an eye out for ways physical security could be a problem. Background checks on employees and contractors, standardized and regular security training, and controlled area access are just the beginning of proving a business is serious about security.
When people think of data breaches, they probably think of a hacker in a dark room and screens full of code. Though the image itself is over-dramatic, it’s certainly true that digital breaches are often harder to fight. It’s one thing to ensure employees don’t let strangers into the office; it’s quite another to ensure employees don’t open a phishing email and inadvertently give backdoor access to unauthorized parties.
Digital security is first and foremost affected by empowering employees and contractors to stay secure. Adopting EMM/MDM systems, enabling single sign-on for internal systems, password managers, and more to encourage best practices in password generation, security logging, and more. Similarly, minimizing access to customer data is also important to keep it secure: it’s better to have data be over-secured and provide access as-needed that will expire after a set time than leave doors open for unauthorized parties to access it.
Another part of data security involves the strength of the encryption on your data. Information is vulnerable in transit, so start by enabling protocols such as TLS to prevent eavesdropping or tampering. Then, once it’s stored on servers, it should be protected, too.
Compliance & Auditing
For many industries, data breaches go beyond financial trouble: companies that handle personal health information, financial data, and other sensitive materials need assurance that their business can keep customers’ data secure. Laws regarding personal information protect customers’ data, whether in a file cabinet or in the cloud, so if you’re looking to handle sensitive materials, it’s important to know exactly what is expected of you – and if you’re up to the task.
Auditing is a process in which companies hire third-parties to test their security and verify they’re able to handle data with the necessary caution relative to a set of existing standards, including physical security, encryption, and more. System and Organization Control (SOC), as well as Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act), are two of the more stringent requirements. Though compliance such as these is often optional, the certifications nevertheless provide reassurance that a company takes its customers’ privacy seriously.
When assessing your own security, or the security of your solution partners, there are many things to consider, not least of which being how secure do you need to be. Though the answer should always be, “as secure as possible”, sometimes needs are based on legal requirement, rather than simple best practices. What’s important to remember, though, is if solution providers are serious about security – whether you think you need it or not – you know your clients’ data is safe.
Want to learn more about how digital solutions protect your data? Check out our Privacy & Compliance page.