Steal This Data

Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has — or could have — access to it is essential to assessing security vulnerabilities.

Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting a data security audit to determine who data flows through your organization and who has access to it.

Taking steps to protect personal information in your files and on your computer can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why it’s important for companies have an incident response plan in place to deal with to security incidents before they occur. Putting together a “What if?” action strategy now may help reduce the impact an information breach can have on your business, your employees, and your customers.

Here are some tips about customizing your company’s incident response plan.

• Senior management sets the tone for any organization’s commitment to data security. That’s why drafting, coordinating, and implementing your company’s response plan isn’t a job for a newcomer. Designate a well-respected senior executive to head up your response team. Select someone with a reputation for working well with every part of your operation — sales, financial, personnel, information technology.
• Once you’ve put together your response team, have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a root kit attack, to name just two — are unfortunate, but foreseeable.
• Experience sharpens intuition. If your staff suspects a breach, investigate it immediately.
• If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Investigate if intruders opened files or placed new programs on your computer. Did they release viruses or other malware? By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
• Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.

A 1998 study by the Federal Trade Commission (FTC) showed that 85 percent of online retailers collected personal information from consumers, but fewer than 15 percent posted a privacy policy explaining their information practices. What a difference a decade makes. These days privacy policies are standard for any Internet marketer. But as recent FTC law enforcement actions make clear, having a privacy policy is just the first step. It’s critical that companies live up to the promises they make about how they use and secure the information they collect.

So what does this mean for savvy marketers? Here are some tips on making your privacy policy have some teeth.

• Design your privacy policy with your customers in mind. Just like the rest of your website, your privacy policy should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum.
• Some online retailers lace their privacy policies with lofty language about how careful they are with customers’ personal information, but don’t back their words up with tough security measures. Statements in your privacy policy are no different from any other advertising claim you make. You’ve got to back them up with solid proof.
• For security-minded consumers, your company’s information security practices are a key factor in their decision to do business with you. So if you decide to modify how you use personal information, it’s important to call customers’ attention to that change in policy. Just editing what you say on your website won’t alert them to your new procedures.
• A company’s privacy policy is only as strong as the staff that implements it. That’s why it’s important to train all employees — including your IT professionals, sales representatives, human resources specialists, and support staff — on how to protect sensitive data. 

Take a look around you the next time you’re at the airport: busy executives scrolling through messages on their PDAs, flipping through stacks of client files, and carrying on animated conversations with colleagues via cell phone. No one appreciates the convenience of today’s virtual office more than overworked executives. But are your employees maintaining the same high standards for data security when they’re on the road as when they’re in the office?  Here are some tips for reducing the risk of a security breach for highly mobile employees. 

• Many companies have special passwords and access numbers for employees to use when they’re off-site. Avoid the temptation to jot them down on a scrap of paper you keep with your laptop. Don’t use shortcut keys to program passwords, access codes, or credit card numbers.
• Before leaving on business travel, check your briefcase, PDA, and laptop for data that shouldn’t go on the road with you. Sensitive information is best left locked in a file cabinet or burned to a CD or flash drive stored securely in your office.
• Ten percent of all laptop thefts occur in airports. Keep your eye on your electronic devices when going through airport screening. Don’t put your cell phone, PDA, or computer on the conveyor belt until the person directly ahead of you has made it through the metal detector.
• A survey of business travelers found that a third of them confessed to sneaking a peek at an airplane seatmate’s computer screen. Defer work on confidential client files until you’re away from prying eyes.
• Ever taken a look at the documents some travelers leave on the computer at the hotel business center? And just think of the sensitive information blurted out during loud cell phone conversations. Remind your employees to keep their guard up in public. You never know who might be listening.It’s a small, small world
• Information on home computers can be just as vulnerable to compromise. Require up-to-date firewall, anti-virus, and anti-spyware protection and the latest security patches on home computers used even occasionally for business. Establish company policies about off-site access to sensitive data.
• Business travelers often are the first in line for the latest electronic device, but need to take care before disposing of the old one. When getting rid of computers, cell phones, or PDAs, deleting files using keyboard commands may not be sufficient because data can remain on a device’s memory. Check with your IT staff to see if there is a “wipe” utility program that can overwrite the memory so data is no longer recoverable.

Most businesses accumulate massive amounts of sensitive information, and like many of us at home, we never get around to throwing out the stuff we don’t need anymore. But times have changed. In an age of security breaches and identity thieves, holding on to sensitive business or customer information longer than necessary can significantly increase your information security risks.

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.