November 30, 2021
November 30 is National Computer Security Day, when companies reemphasize their focus on information security and how to safeguard electronic devices and the data they contain. If you haven’t reviewed your organization’s data security strategies recently, this is the perfect occasion to make sure you are adequately protecting your technology and the information you generate.
Knowing Your Data Is the First Step
Every organization uses data as part of doing business. Unfortunately, that data often includes sensitive or potentially valuable information, not only to your organization but also to disreputable characters who may want to use it for criminal purposes. Sensitive data could consist of proprietary company information, customer records, financial data, protected health information, or other types of confidential material.
To ensure your information security program adequately protects your data, it is critical to understand what types of information you access, create, collect, use, store, and share. In addition, you should know where that data is kept and what form it takes. Is it electronic or paper or both? Is it stored in the cloud, on hard drives, on a handheld device, or in file cabinets? It’s also essential to understand if and how you exchange the information. By answering these kinds of questions, you can better understand what your legal, regulatory, and contractual data protection obligations are, what your information protection plan should entail, and where the likely risks are. For instance, if you determine that you house multiple types of sensitive information and regularly share it within your organization and outside third parties, you may need to ramp up your investment in data security because your risk of theft or accidental disclosure is more significant. If, after performing the above-described exercise, you determine your sensitive data exposure risk to be low, you may still want to think about things like risks of cyber related operational disruption or reputational damage to inform the placement of security protections in your organization.
Strategies to Help Ensure Your Technology Is Not a Risk Point
Laptops, desktops, tablets, and cell phones have become a staple in every business environment. However, since they are relatively simple to set up and use, it is easy to forget that they can be a weak point in your data security program if they are not adequately protected.
Here are three key strategies to mitigate data security risks associated with technology.
Promote password hygiene. Passwords are a crucial line of defense for devices, software, and online accounts—and creating those passwords should not be left to chance. Companies should develop password hygiene policies that cover how to generate strong, unique passwords and how frequently those passwords should be changed. In addition to containing at least 8 to 12 characters, best practice indicates that passwords should be comprised of complex combinations of letters, numbers, symbols, and capitalization. Passwords should be changed regularly—especially when a potential threat is detected. Employees should have unique passwords for different logins, so fraudsters can’t access multiple areas of the company by cracking a single code.
Passwords should also not be written down or kept in unsecure locations, such as on sticky notes near computers or in an unprotected data file. To avoid this, you may want to encourage employees to use a password management app that utilizes two-factor authentication (2fa), which requires a second activity during login, such as entering a code delivered through text message. This is a more secure, cloud-based vault where someone can store all their password details. With this type of program, you only have to remember one (ideally more complex) password to get into the vault. Not only does the software keep your passwords safe, but it also allows you to generate random, complex passwords each time you need one—something that is foundational for safeguarding data.
Check that data protection software is robust. Such software may include firewalls and anti-virus / anti-malware programs that can limit breaches and notify you should they detect anything suspicious. Data protection software is constantly evolving as cybersecurity threats morph and change. Consequently, you should make sure you have the latest versions installed on your technology. Enabling “auto-update” features or opting for cloud-based solutions that automatically update can ensure your protections remain current and can guard against new or emerging threats.
Dispose of legacy equipment regularly and properly. This is an often-overlooked risk mitigation strategy. For example, some businesses opt to lock up old hard drives and laptops in closets or off-site storage facilities. Unfortunately, stockpiling outdated equipment can present opportunities for data theft because criminals can break into these spaces, steal the equipment, and access the data. Even if you use software to erase, wipe, reformat, and degauss electronic devices before storing them, there are still risks because sensitive information can remain on the equipment and therefore can still be recovered or stolen. This also holds true when you throw away or recycle technology after wiping it. The fact is that physically destroying the equipment is the best way to be completely confident that data is permanently removed from hard drives and other technology.
To ensure your legacy equipment does not put your data at risk, consider performing regular clean-outs of storage facilities to avoid stockpiling unused technology. You can then work with a third-party destruction company like Shred-it to securely destroy the leftover equipment. We use shearing and crushing methodologies to obliterate devices, which are suitable for both solid state drives and traditional hard drives, and we guarantee a secure chain of custody from the moment we pick up your materials until they are demolished. Depending on your organization’s needs, you can schedule regular pickups or a one-time purge, and we also offer drop-off options. Our itemized Certificate of Destruction includes the device’s manufacturer name and serial number for your records. Once the equipment is rendered unusable, we recycle it with local partners, reducing the volume of material heading to landfills.
Learn more about how Shred-it can help protect your organization’s data.