Avoiding Data Breaches: Top Tips to Keep Company Information Safe

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.freshbusinessthinking.com/business_advice.php?CID=0&AID=13134&Title=Avoiding+Data+Breaches%3A+Top+Tips+to+Keep+Company+Information+Safe#.U-pAh_ldXsg

When we think of data breaches we tend to think about lost or stolen
paperwork; but in reality this is rarely the case. In fact information can
be taken from computers, laptops and USB sticks - and it is estimated 80
per cent of data breaches stem from human error.

How businesses dispose of these items should therefore be a high priority.
Increased legislation helps guide business in best practices; however,
every day we see fines levied against companies who have not managed their
records effectively. Data breaches are usually unintentional breaches made
by individuals so it’s about taking the appropriate steps to avoid them.

Implementing stringent processes, such as those detailed below, will ensure
companies’ data is managed and disposed of securely in a fully compliant
manner:

1. Human error – ensure all staff are educated

Data breaches can be mitigated by ensuring staff know what is expected of
them and understand the consequences of failing to protect sensitive data –
it’s about reducing human error. This responsibility extends to temporary
staff just as much as to permanent staff.

Make training fun and simple to encourage engagement. Check each employee
has understood by running a short quiz and asking staff to sign a document
to confirm they have understood.

Appointing information champions who have a good understanding of the field
can also be helpful, so that individuals within an organisation know who to
go to with any queries or concerns.

2. Data Protection – review your policies regularly

Data protection policies should be up to date and comply with current
legislation. Policies should be reviewed in line with business changes, for
example, following accreditation to 27001. A regular programme of training
which includes frequent refresher sessions is vital as the legislation and
rules on handling data can be subject to changes.

3. Sensitive Data – store safely and restrict access

Ensure all paper files and media devices containing sensitive information
are stored securely either on site or with a third party. Take regular
back-ups of information stored on your computers and keep in a secure
separate location. It is prudent to restrict employees’ access to sensitive
data, giving access only to the information they need to do their jobs
whether online or in paper form.

4. Data disposal – remove risk of confusion

Implementing a “shred all” policy will remove any confusion staff may have
over what is classed as confidential material, and eliminate the risk of
human error. Data should also be wiped from electronic devices such as
computers, laptops and USBs. All of which should be stored in locked
containers or rooms while awaiting secure disposal.

5. Encryption and Password Protection – safeguard all electronic devices

Passwords should be changed on a regular basis and staff aware of when to
do so. It is best practice to ensure passwords contain a minimum
combination of six to eight letters and numbers, using upper and lower
case, in order to reducing the risk of the password being compromised.
Encryption adds another level of data privacy. Encryption should be placed
on all devices including mobile devices, back-up tapes and laptops.

Information management has moved up the agenda of corporations, governments
and institutions in the modern world. So senior managers should establish
stringent procedures governing the handling and secure destruction of
information, as well as ensuring all employees are aware of their
obligations and the potential consequences of data losses.

In this way, corporate data will no longer be viewed with fear but instead
seen as a carefully protected corporate asset. It’s all about being aware
of the power of memory.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!