Learn the data security best practices that will give you the most bang for your buck.
Workplace data security is of increasing concern to businesses. Some of the required steps are simple, like doing a physical building check at the beginning and end of the work day. But some steps aren’t as simple, such as addressing cyber threats to your sensitive and protected information.
Organizations may be motivated by the threat of financial loss, which can include direct costs like fines, settlements, and lost sales, as well as indirect costs like customer departure and decreased trust. They may also be required to comply with data security mandates like GDPR, PCI DSS, or HIPAA.
Whether you’re protecting payment card data, personal information, or medical records, you want to be secure and follow security best practices. But you also likely have to work with a limited budget. Setting a security budget can seem nebulous, so here are some simple, cost-effective tips. This is by no means an exhaustive list or a prescriptive security program for compliance, but these tips are some of the more bang-for-your-buck steps you can take right now.
Shred files prior to throwing them away
While cybercrime often takes center stage for information protection, precautions should be taken with physical information too. When you throw away or recycle confidential or protected information, shred it first (as advised by the National Federation of Independent Business (NFIB)).
Keep in mind that people can still access the information while it’s in the trash, as indicated by a Canadian study of five teaching hospitals in Canada that collected 2600 items with personally identifiable protected health information (PHI) from recycling bins over 18 months. Any communications (including customer quotes, invoices, and letters) should also be shredded.
Update your computers
Make sure that all company-owned and personal devices (that connect to the corporate network) are updated quickly when any patches or new operating system versions are released. Your web browsers, operating systems, security programs, and other applications should also be updated.
While cloud providers will usually update their software, you are responsible for any software that is on your devices. Staff mobile devices should be protected with similar security measures.
Implement selective Wi-Fi privileges
Safeguard your network by restricting who you admit in and out of your protected environment, and what they can do through permissions changes, said the Institute of Electrical and Electronics Engineers (IEEE). One simple trick is to segregate authorization by establishing a guest network that is available for clients, vendors, third-party affiliates, and family.
Choose security-minded contractors
One way to improve security is to only work with vendors that have strong controls in place. One of the easiest ways to validate that an organization is dedicated to proper controls is checking for an audit from the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements 18 (SSAE 18), a standardized process used by service providers to test and prove their data centers’ security.
If you deal with HIPAA, make sure any business associates or covered entities have proper data security responsibilities written into their contracts. Learn more about business associate agreements best practices here.
Launch a strong password policy
Follow the latest guidance on passwords. New stipulations were released by the National Institute of Standards and Technology (NIST) in 2017 related to password management.
The NIST guidelines suggested that you should always validate any new passwords against ones that have been hacked or that are frequently used. The agency also advised foregoing changing your password routinely, since research now suggests it hurts security. You also may not need to worry about meeting character-combination guidelines (such as including at least one special character), because it gives people a false sense of security, per NIST.
SEE ALSO: Combatting Weak Passwords and Usernames
A recent report from Shape Security found that stolen information entered by cybercriminals accounts for 80% to 90% of login attempts at retail ecommerce websites.
You should make sure that all your business's accounts and devices are safeguarded against unauthorized parties. Even if you generally trust an individual or organization, you don’t want them to have access to information without official authorization.
A typical scenario involving unauthorized use is allowing a client to use a laptop that belongs to your organization. Also, people who serve in various roles at your company should have access that makes sense for their position.
Login credentials should never be shared. For example, an accountant should not give their accounting application password to someone on the sales team.
Focus on training
Even the smallest companies are threatened by cybercrime, with 71 percent of attacks targeting organizations with less than 100 staff.
If you want to protect your business from data breaches, you need to train your employees. Everyone at your organization should know best practices for security, key signs of cyber attacks, and your incident response plan.
A simple training exercise could be to send your employees a mock phishing email and see how they respond. To best learn from their actions, segment responses by the phishing message used and department. Additionally, you want employees to know you prioritize cybersecurity, so discuss it during on-boarding and regularly through employee communications.
Securing the workplace with an eye on the budget
Updates, Wi-Fi privileges, third-party security audits, password policies, access controls, and training can all be affordable ways to improve the security of your work environment.
Author Bio: Adnan Raja has been the Vice President of Marketing at atlantic.net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.