Are you taking steps to protect your customers’ personal information? Safeguarding sensitive data in your files and on your computers is just good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. Recent studies estimate the cost of a security breach at around $200 per customer record compromised. With such high stakes, every small business needs a sound data security plan. That plan should be built on five key principles:
- Take stock. Know what personal information you have in your files and on your computers.
- Scale down. Keep only what you need for your business.
- Lock it. Protect the information in your care.
- Pitch it. Properly dispose of what you no longer need.
- Plan ahead. Create a plan to respond to security incidents.
In this article we’re going to take a closer look at all the aspects within each of these five steps:
1. Take stock
One of the most important things you can do is be aware of what information you need to protect.
- Take inventory of all file storage and electronic equipment. Where does your company store sensitive data?
- Talk with your employees and outside service providers to determine who sends personal information to your business, and how it is sent.
- Consider all the ways you collect personal information from customers, and what kind of information you collect.
- Review where you keep the information you collect, and who has access to it.
2. Scale down
Make it a standard business process to only keep the things you need for your business operations.
- Use Social Security numbers only for required and lawful purposes. Don’t use them as employee identifiers or customer locators.
- Keep customer credit card information only if you have a business need for it, and ensure stored information is in accordance with Payment Card Industry Data Security Standards (PCI-DSS).
- Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
- Change the default settings on your software that reads customers’ credit cards. Don’t keep information you don’t need.
- Truncate the account information on electronically printed credit and debit card receipts you give your customers. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.
- Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.
3. Lock it
Double-check to ensure you are protecting the data you keep.
- Put documents and other materials containing personally identifiable information in a locked room or file cabinet.
- Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
- Implement appropriate access controls for your building.
- Encrypt sensitive information if you must send it over public networks.
- Regularly run updates for anti-virus and anti-spyware programs on individual computers.
- Require employees to use strong passwords.
- Caution employees against transmitting personal information via e-mail.
- Create security policies for laptops used both within your office, and while traveling.
- Use a firewall to protect your computers and your network. Consider segmenting Point-of-Sale terminals and other high risk systems on their own network with more strict security controls.
- Set “access controls” to allow only trusted employees with a legitimate business need to access the network.
- Monitor incoming Internet traffic for signs of security breaches.
- Check references and do background checks before hiring employees who will have access to sensitive data.
- Create procedures to ensure workers who leave your organization no longer have access to sensitive information.
- Educate employees about how to avoid phishing and phone pretexting scams. Establish verification procedures for giving out customer information over the phone or email.
4. Pitch it
Properly dispose of information and materials you no longer need.
- Create and implement information disposal practices.
- Dispose of paper records by shredding, burning or pulverizing them.
- Defeat dumpster divers by encouraging your staff to separate the stuff that’s safe to trash from sensitive data that needs to be discarded with care.
- Make shredders available throughout the workplace, including next to the photocopier.
- Use disk wipe utility programs when disposing of old computers, copiers and portable storage devices.
- Give business travelers and employees who work from home a list of procedures for disposing of sensitive documents, old computers and portable devices.
5. Plan ahead
Create a plan for responding to security incidents.
- Create a plan to respond to security incidents, and designate a response team led from your team of employees.
- Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others – a lost laptop or a hack attack, to name just two – are unfortunate, but foreseeable.
- Investigate security incidents immediately.
- Create a list of who to notify – inside or outside your organization – in the event of a security breach.
- Immediately disconnect a compromised computer from the rest of your network.
If you have any questions about how to implement these tips or how to protect your business’ financial information, please reach out to your local MidWestOne banker.