According to the 2014 Verizon Data Breach Investigations Report, data breaches originating within businesses—including those resulting from human error—are on an upswing. These breaches can be costly and stressful. Business owners, however, can implement procedures and policies which will significantly reduce the risk of an internal breach.
When creating a comprehensive set of company best practices to protect sensitive data, consider using this brief checklist as a guide.
For New Hires
Before hiring an employee who will have access to sensitive data, carefully check their references and/or perform a background check.
As a condition of hiring, all new employees should sign an agreement stating that they will abide by your company's confidentiality and data security standards.
For Current Employees
Keep track of which employees have access to personally identifying information such as Social Security numbers. With sensitive information, it's best to limit access to employees on a "need to know" basis.
Store sensitive files in a locked room or cabinet and limit employee access. Make sure cabinets stay locked unless an employee is working on a file. If you have an offsite storage facility, limit access and keep track of when employees use the facility.
Instill a culture of security within the company. Make sure your staff uses common-sense precautions like:
- Logging out of their computers at the end of the work day
- Never leaving sensitive papers on desks overnight
- Not granting building access to unknown people
- Reporting any suspicious activity—or incidents like the loss of a laptop—to management
Remind employees that all of their work-related devices such as laptops and mobile phones should be password-protected with strong, difficult-to-crack passwords. Employees should never send personally identifying information via unencrypted email.
Set clear rules about which software may be downloaded and used on a company device. Some software could make your system vulnerable to malware attacks. Consider blocking employees from downloading unsupported software.
Train employees to spot the signs of phishing and social engineering attacks. Make it an office policy toindependently verify phone calls or emails requesting sensitive information.
Maintain a schedule of regular employee training on all of these issues. This will refresh their knowledge andkeep them updated about new risks and vulnerabilities.
Impose a reward system for employees who alert you to vulnerabilities, and set disciplinary measuresfor security policy violations.
When Employees Move On
When an employee leaves the company, make sure to terminate their access to all computer databases, physical files, and other sources of sensitive information.
Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.