Written by Steven Randall, Partner, Vonya Global
There have been several recent examples of the damage that poor data protection can cause even very powerful companies: just ask Sony, Home Depot, or Target. Trouble protecting consumer data can cost a company more than bad publicity. Lawsuits, fines, and permanent loss of business are all likely consequences of poor data protection. According to a 2013 Harris Interactive poll sponsored by TRUSTe, 89 percent of consumers in the US said that they avoid doing business with companies whose online privacy practices cause them concern.
Here are the best strategies to keep your customers and your business safe, no matter the size of your company:
Establish a strong line of defense by instituting and following internal audit procedures. All information security programs are unique, but there are some processes that work for everyone. Your guidelines should include customer credentialing in order to confirm the identity and intent of anyone who wants access to your company’s services, products, or information. Access requests should also be verified for legality.
Your internal audit system should also deal with risk assessment in several ways. You’ll need to assess risk annually and implement mitigation strategies. You’ll also need to assess risk periodically as new products or IS systems go online. Finally, you’ll need to assess the risk to company data security measures. As security measures are audited, any weaknesses should be addressed immediately with compliance and remediation programs.
Ensure that your high-level management has a role in customer data protection. Obviously your IT team will be instrumental in the day to day problems of data security, but this important issue should not be relegated to the IT department. Maintain responsibility of the issue within upper management and make accountability for data security part of your ongoing ethical commitment.
As discussed elsewhere, it is crucial to have an appropriate bring-your-own-device (BYOD) policy in place, and BYOD policies are a customer data protection issue. Quite simply, the presence of employee devices compounds the difficulty of protecting privacy and information. However, most experts see the BYOD trend as inevitable, and a problem that should be addressed directly. Don’t find yourself reacting to a disaster. Protect your company proactively and institute a BYOD policy that covers loss, theft, and related problems.
You need to reevaluate your encryption technologies every few years to ensure your company is using current best practices. Consider whole-disk encryption rather than file-level encryption for better protection. Remember that your specific industry may have legal and regulatory issues that impact your needs (HIPAA, for example).
If you don’t already use a data loss prevention (DLP) platform, it would be wise to implement one. The basic work of a DLP is to monitor and identify the way your data is being used, where it is, and who is using it. DLPs will typically run using rules; for example, you might have your system set up so that nothing containing a file number, social security number, or some other piece of data can be sent out of your network. DLPs prevent data breaches and help you manage what happens to data under your control.
Many IT departments retain data logs for even crucial functions like firewalls for 30 to 60 days, but it’s best to keep them for a year or more. Often data loss incidents go unnoticed until after the fact, and without data logs, there is no way to determine the cause of these breaches.
Protecting customer data is good business, and there are concrete steps your company can take to ensure that your online privacy practices are more secure. These kinds of policies, which integrate internal audit systems with smarter data protection, help to build customer confidence and protect your business.
This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.