As a business owner, you store data that is critical to company operations, as well as sensitive information about employees and customers. You have a responsibility to secure that data, and a special duty to protect all personal identification information. If that information is stolen, lost or contaminated due to a cyber attack, your business and reputation could be jeopardized. With more businesses reporting data breaches every day, here are a few guidelines to help keep your business protected from the financial and property loss that could occur:
- Set up an incident response team to create a plan that outlines how your company will address any data breaches; establish clear roles and responsibilities for team members.
- Develop a data retention policy that explains how your company will retain data and keep it secure. It should also show how you will destroy and dispose of unneeded data, such as dormant customers’ accounts, job applications and former employee privacy information. Make sure you and your employees back up critical information regularly. Have secure locations where this data and its backup can be stored.
- Keep up to date on state and federal laws and regulations regarding data breach and privacy, and on mandates that outline how you must notify customers if your data is breached. Incorporate them into your data policy. Failing to do so could critically damage your company’s reputation. It could also result in fines, penalties and lost customers if a breach is ill-handled.
- Be sure your anti-virus protection is installed and kept up to date. Designate a limited few within your company who will be responsible for downloading and installing programs. Only download programs from trusted sources, and instruct all employees to stay away from software ads or links on email or pop-up ads.
- Teach employees how to identify and report breaches.
- Email is the most prevalent way of spreading computer viruses. Inform employees to never to open an email that looks suspicious or contains odd spellings or characters. They should only open emails from people they know or with whom they have communicated in the past. Explain phishing and hacking techniques. Have them fully shut down their computers at the end of the business day.
- Require employees to change passwords on a regular basis and to use strong, unique passwords. Passwords should be unique to each program, account and computer in use. They should not be written down or shared. A good password is sophisticated enough to thwart hackers, but straightforward enough to be remembered easily.
- Make sure mobile devices that contain company information – laptops, smart phones, tablets and flash drives – are encrypted and password secured in the event they are lost or stolen.
- Control access to your computer systems and establish a process to deactivate former employees and third party contractors whose service has ended.