July 18, 2022
As threats to corporate data security grow more severe, some companies might need to reevaluate their data security plans to help ensure the best possible defense against hackers and information thieves. A data security plan outlines the training, tools, policies, and procedures an organization will use to help prevent and respond to data breaches.
When done accurately, data protection plans can help stop data theft and potentially save companies millions in fines and reputational damage. Conversely, companies could suffer if their security plans are not built on comprehensive and correct information. For example, if a security team does not know that company employees store confidential information on hard drives, they will likely not establish effective secure hard drive destruction procedures. This omission could expose sensitive data to information thieves.
Some businesses struggle to understand how and where sensitive data is stored, used, and destroyed. A recent Tech Republic survey found that 35% of IT leaders cite “lack of knowledge” as a key barrier to data privacy. Hidden data can cost companies millions and puts them at greater risk of security threats. Redundant, trivial, and obsolete data, also known as ROT and dark data is problematic because you may not even notice if it goes missing. Information gaps can pose an even greater risk to companies of non-compliance with data protection regulations.
By asking the right questions and taking steps to understand information security, business leaders can be better informed as they develop data protection plans that include tactics to help prevent physical and digital data breaches.
The “basics” of an organization’s data management program form the foundation of effective information security. Business leaders should meet with their data protection officer and any other relevant employees to answer some key questions about their companies’ information management procedures, including:
Companies will collect different types of confidential data depending on the products and services it provides. For instance, a clothing shop might store the names, email addresses, and credit card numbers of its customers, while a law firm might store confidential information about past or ongoing litigation. Leaders should also identify whether the collected data is physical (paper, hard drives, etc.) or digital (electronic files, cloud files).
The amount of information a company stores can help inform the investment in security tools, services, and personnel. For example, an organization that collects large amounts of sensitive paper documents might need to use a secure information management service that offers regularly scheduled document destruction.
This question can refer to the location of physical data (stored in desks, file rooms, home offices) and/or digital data (stored on external servers, local hard drives). Data location can play a role in a range of executive decisions from establishing security policies to selecting information technology.
Certain data loss protection regulations, such as the General Data Protection Regulation (GDPR) in Europe, require companies to store data only for as long as necessary. Unneeded and unused data can make organizations bigger targets for hackers and information thieves. Unless the organization is actively using sensitive information, it should be destroyed or deleted.
Most organizations enlist the help of external partners and might share sensitive data with them in the process. For instance, companies might share customer email addresses with marketing firms to develop an email advertising campaign. Sharing data with third parties, while often necessary to a business’ operations, could increase the risk of exposing sensitive data to bad actors. In 2021, the third-party software provider, Kaseya, experienced a cyberattack which compromised not only Kaseya’s systems but the files of as many as 1,500 companies. Security teams should address third-party data sharing in data security plans and connect with their external partners to understand their security protocols.
Once business leaders and security teams fully understand the “basics” of corporate data management, they can begin to implement other strategies to help improve data knowledge and security, such as:
Physical data protection should be a key player in every company’s data protection policies, and we are ready to help. Our team of experienced physical information security professionals can help leaders identify vulnerabilities and create a plan for safe and secure data management. Learn more about Shred-it's services and contact us to schedule a free security risk assessment.