Today, the disclosure of sensitive data is among the most commonly reported data breaches that occur in the workplace. Hackers, fraudsters, and, unfortunately, employees perpetrate this scenario. Now, more than ever, protecting sensitive data is good business, no matter the size of your company. Educating employees about cybersecurity and implementing straightforward protocols and policies, like those below, can save a business from ruin.
Safeguarding Physical Equipment. Since they can be lost or stolen so easily, laptops, mobile devices, memory sticks, DVDs, and other media storage devices are easy targets with which outsiders can access sensitive data. Help prevent unauthorized retrieval and use of sensitive business data by safeguarding and restricting the use of such devices outside the office. Computers and mobile devices should "lock" when unused for more than two minutes. Any portable device that stores sensitive business information must have the ability to be remotely wiped. All sensitive data used outside the office must be encrypted to limit accessibility to data if a device is lost or stolen.
TIP: Threats to company data can come from outside of a business and also from within. Controlling how employees and the public access your company's computer systems and data is an easy first step your company can take to play defense. HR professionals can work with IT colleagues and other stakeholders to implement straight-forward security strategies to protect trade secrets and guard against data breach.
Passwords. Every employee user account a company issues should be password protected. Require employees to use unique passwords for their accounts; passwords must include a combination of upper and lower case letters, numbers, symbols, and be 10 to 12 characters in length. Passwords should be changed every three months. Depending on your industry or the sensitivity of data handled by certain employees, consider implementing a system that utilizes multi-factor authentication. That safeguard requires certain employees to provide information beyond a mere password in order to use a company computer and/or sensitive portions of the company network.
Public Wi-Fi Networks. Accessing company networks via public Wi-Fi networks should be prohibited. Public Wi-Fi is just that – public. Prying eyes can easily monitor activity on a device connected to public Wi-Fi. Connecting to business networks should be done through a VPN (Virtual Private Network) connection.
Limiting Employee Data Access. As a general rule, a company should only allow an employee access to those computer and data systems necessary for her to do her job. Limit data access accordingly, and take special account of those systems that house protected data (e.g., social security numbers, payment information, health information) and trade secrets. Additionally, work with your IT department to limit employees' abilities to add software to their assigned devices. Unwelcome software can undermine safeguards and provide hackers a way into your systems.
Malware and Phishing Scams. Unsuspecting employees who succumb to malware and phishing scams open the door to the majority of "hacks." Train employees on how to identify "suspect" emails and educate them on the most recent malware and phishing scams. Emails from unknown or suspicious senders should not be opened until the identity of the sender is confirmed as legitimate and business related. Similarly, non-business-related Internet use should be restricted or prohibited. In both situations, the objective is to limit employee-enabled access points to the company network.
These steps are just the foundation for a cybersecurity plan. A team comprised of HR leaders, IT professionals, company stakeholders, and your legal advisor can build on these principles and create a comprehensive plan to protect your company and its assets.