If you have a company, you have data. And you need to protect that data, or else you won’t have a company for very long. Because there are criminals looking for any information they can get their hands on to sell on the dark web or hold for ransom. There are also natural disasters and accidental errors that can corrupt or destroy your data, which leads to costly, sometimes overwhelming downtime that you never recover from. So preventing data loss is important. And we’ve got 5 strategic tips to help you do it.
1. Identify Your Business Data
Business data comes in all shapes and sizes. You may have:
- customer information that includes financial and personally identifiable information (PII).
- vendors and likely some proprietary information.
- employee details and passwords.
- And on and on.
So before you can figure out how to protect it, you need to determine what you have.
As you identify the data you collect, categorize it with regard to its sensitivity. For example, credit card numbers and employee login information should take priority over your vendor addresses, which is likely public anyway.
Note where, how, and for how long your various pieces of information are stored. We’ll dig into this further in tip 3.
2. Set Your Data Protection Standards
Once you know what data you have, figure out what your goals are for protecting it.
Obviously no business wants to deal with data theft or leakage, but those aren’t the only objectives you may have.
>> You may be subject to regulations or compliance, and have to demonstrate that you’re in accordance.
>> You may be more focused on maintaining data integrity.
>> Your top priority could be confidentiality.
>> Your primary goal could be availability.
Implementing the most effective strategies to prevent data loss can be different depending on your specific goals. So figure out those objectives and write them down. That’s the start of your Data Loss Prevention (DLP) plan.
3. Map Your Data Collection Process
This is the big one.
Now that you know what you’re collecting and how you want to protect it, look at how you obtain it, handle it, and keep it, from start to finish. Because if you’re going to protect it, you need to know where it comes in, who touches it, how many programs or third parties can access it, and what happens to it.
Let’s look at a common example.
Most businesses have websites with forms for potential customers to fill out. In order to help the customer, you probably ask for their name and phone number or email address. So what happens to that data when the form gets submitted?
- Does a notification tell a person in your company to manually look at the data in the website and respond to it?
- Does an employee get an automatic email with the data included?
- Does the form get automatically sent to a CRM or lead database?
- Is it handled by a third party to be filtered before it takes up your team’s time?
Each of those examples sends your data to a different place, in most cases, more than 1 place. You need to know all the paths your data can take in order to determine where it goes and who has access to it so you can properly protect it.
Then what happens?
- Does the form information stay on the website or get deleted?
- Is it shared via email or other programs within your company?
- Does it get added to different software, such as accounting or processing and shipping?
- Is it stored in a database that other companies can access?
Like branches on a tree, you can see how quickly and easily the options multiply. But don’t be alarmed if this seems overwhelming. Documenting processes that are already in place just takes time and attention to detail.
Take it slow and talk to the people who deal with the data each day. Have them walk you through their steps and make a diagram of the process. You can visually mark where data comes in and goes out and who has access to it. Go through each method that data can enter your business, whether by website, phone, word of mouth, etc., and follow each thread to its conclusion.
4. Implement Access Control
Once you know what data you have, where it goes, and who can touch it, you can truly begin to protect it. Access control, or restricting the ability to view or manipulate data or resources, is often thought of as an unnecessary power grab by management or IT people. But that misperception typically stems from a lack of tip #5.
What access control really does is allow you to manage and protect your data. By consciously choosing whether someone needs to view information or be able to change information based on their role, you are reducing your exposure and risk.
It can be jarring for employees to lose access to something if they always had it. But if they don’t need it, then their access only opens your business to more threats for no reason. If they do need it, then they should have the level of access needed to get their job done.
Make sure you take a look at your vendors’ access, too. Do their terms of service mean they can copy, save, or edit the information you give them access to? What protections do they have in place for themselves and what is extended to you?
Access control should also be an important piece of your offboarding process. Whenever employees change positions or leave the company, you should have a checklist or process to make sure they have the proper permissions reviewed or that such permissions have been removed.
In order to truly protect your data, your entire team needs to know your company’s data loss prevention goals. In addition to continuously educating them about phishing risks and scams, you need to impress upon them the importance of proper password hygiene. Why?