|
|
Data Sentry
By: Lesley Fair
Issue: 2009mar
What’s in your file cabinet right now? Tax records? Payroll information? And what’s on your computer system? Financial data from your suppliers? Credit card numbers from your customers? To a busy marketer, those documents are an everyday part of doing business. But in the hands of an identity thief, they’re tools for draining bank accounts, opening bogus lines of credit and going on the shopping spree of a lifetime—at the expense of your company, your employees and the customers who trust you.
Sophisticated hack attacks make the headlines, but many security breaches could be prevented by common-sense measures that cost companies next to nothing. The specifics depend on the size of your company and the kind of information you have, but the basic principles remain the same. Whether you work for a multinational powerhouse with branches around the world or a start-up based in a home office, a sound information security plan is built on these five key practices: taking stock of personal information in your files, scaling down on what you don’t need, protecting the information you keep, disposing of what you no longer need and setting up a response plan for security incidents.
1. Take Stock
Effective data security starts with assessing your information and identifying who has access to it. Understanding how personal information moves into, through and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. To start, inventory all file cabinets, computers, flash drives, disks and other equipment to find out where your company stores sensitive data. Don’t forget laptops, employees’ home offices, cell phones and e-mail attachments. No security audit is complete until you check every place sensitive data might be stored.
Get a complete picture of who sends your company sensitive data. It most likely comes from customers, call centers, credit card companies, banks or other financial institutions and affiliates and contractors. Find out how this data comes into your company, what is collected at each entry point and who has or could have access to this data. Once you’ve collected this information, understand what types of data present risks and know that Social Security numbers and credit, debit and checking account information pose the most serious risks and could facilitate fraud or identity theft if allowed to fall into the wrong hands.
2. Scale Down
In an age of security breaches and identity thieves, the professional pack rat should be a thing of the past. If you don’t have a valid business reason to collect personal information, don’t ask for it. Review the forms you use to gather data—such as credit applications and fill-in-the-blank web screens for potential customers—and revise them to eliminate requests for information you don’t need.
If you must collect sensitive information, including account numbers and expiration dates, don’t hold onto it longer than necessary and develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it and how to dispose of it securely when you no longer need it.
In the past, companies used Social Security numbers as employer identifiers or customer locators. To reduce risk, make it a company policy to use Social Security numbers only for required lawful purposes, such as reporting payroll taxes.
Check software used to read credit card numbers and process transactions to ensure that it isn’t set to store information permanently and inadvertently keeping more information than you need. And verify that receipts comply with the Fair and Accurate Credit Transaction Act, which requires electronically printed credit and debit card receipts truncate account information into the last five digits of the card number and delete expiration dates.
3. Lock It
Computer defenses can be critical, but when it comes to protecting personal information, don’t forget old-school physical security, too. Discourage light-fingered passersby by making sure every employee has a secure drawer or locker. Centralize sensitive paperwork and limit access to employees with a legitimate business need. Remind them not to leave documents out when they step away from their desks. Shipping data offsite? Consider encrypting it and using a mailing method that will allow you to track the package en route.
Viruses, spyware and other invaders will attack an unprotected computer in just seconds. Your tech staff has sophisticated defense tools at their disposal, but you must remind other employees that electronic security is everybody’s business. Use strong passwords (the longer, the better) and require your staff—including the ones who wreathe their computer screens with passwords scrawled on sticky notes—to store them securely and change them regularly. Ask your IT people to install an intrusion detection system to tip them off to network breaches. Monitor incoming and outgoing traffic for higher-than-average use at unusual times of the day. Check expert resources such as www.sans.org and your software vendors’ websites for alerts about the latest vulnerabilities and vendor-approved patches.
Hackers certainly pose a threat, but sometimes the biggest risk to a company’s security is an otherwise conscientious employee who hasn’t learned the basics of protecting personal information. Create a culture of security by implementing a regular schedule of employee training. Make it clear to new staff that abiding by your company’s data security plan is an essential part of their job. Make account data, credit card numbers or other sensitive information available only on a need-to-know basis. Have a procedure in place for ensuring workers who leave your employ or move to another part of the business no longer have access to off-limits information.
Last, trust but verify. Before outsourcing any of your business functions—payroll, web hosting, call center operations, data processing or fulfillment—investigate the company’s data security practices and compare their standards to your own. Make sure your expectations and requirements are spelled out in the contract and build in a way for you to monitor their performance. Insist that contractors and service providers notify you immediately if they experience a security incident, even if it may not have led to an actual compromise of your data.
4. Pitch It
Once you’ve determined weak spots in your security and winnowed things down, it defeats the purpose unless you make sure your trash can’t be “recycled” by a scam artist. Breaching computer networks requires some technical know-how, but dumpster diving—rooting through garbage for account statements, Social Security numbers and other personal information—just takes patience and a strong stomach. Encourage your staff to separate the stuff that’s safe to trash from sensitive data that needs to be discarded with care.
Effectively dispose of paper records containing sensitive data by shredding, burning or pulverizing them before throwing them away. Have shredders available throughout the workplace, including next to the photocopier. Make sure discarded documents can’t be read—or reconstructed—by people with time on their hands and crime on their minds.
Whether working from home or on the road, make sure telecommuters and business travelers maintain your company’s high security standards. Remind them to be as careful when disposing sensitive documents off-site as they are when creating them. If you use consumer credit reports in your business, you may be subject to the FTC’s Disposal Rule. It requires companies to adopt reasonable and appropriate disposal practices to prevent the unauthorized access to—or use of—information in credit reports.
Also, be sure to completely delete computer files. Using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily. So when getting rid of old computers, laptops, hard drives, portable storage devices, cell phones, etc., use wipe utility programs. They’re inexpensive and can provide better results by overwriting the contents so that the files are no longer recoverable.
5. Plan Ahead
Taking steps to protect personal information in your files and on your computer can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why it’s a good idea to have a plan in place to respond to security incidents before they occur.
Put together a response team and have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field, but others—such as a stolen laptop—are foreseeable.
If your staff suspects a breach, investigate it immediately. Waiting days to convene a committee can waste precious time. In case of a breach, immediately sever the compromised computer’s access to the internet and your network. To assess the impact, ask IT staff to preserve any available network logs, file transfer logs, system logs and access reports. Investigate if intruders opened files or placed new programs on your computer. By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.
Lesley Fair is an attorney in the Federal Trade Commission’s Bureau of Consumer Protection who specializes in business compliance. For more information visit www.ftc.gov.
|
|
|
|