Recent headlines about the Heart Bleed bug have business owners worried about the safety of their data. Yet one of the biggest risks to your company’s security comes from a source much closer to home: your employees and the way they engage with your data. Whether it’s simple carelessness that results in a laptop full of your customer’s financial information being stolen, or the deliberate destruction wrought by a disgruntled former employee, there are steps you can take to protect yourself.
Allen Falcon, CEO of Cumulus Global and specialist in cloud data security says, “The number one best practice for data protection small business owners need to know about is don’t rely solely on free services. When you use free services, you’re sacrificing security for data storage.” Below, he shares some other best practices for data protection.
1. Employment agreements must address data security
Spell out your expectations regarding data handling and technology use from day one with comprehensive policies that employees are required to read, sign, and abide by as a condition of employment. “Make it clear that any data that resides on the company’s computers is company property, and the company can access it at any time,” Falcon advises. Knowing that the boss is watching can discourage employees from doing things like downloading client lists prior to leaving the job.
A policy that ensures they’re obligated to either return or destroy any company data they have on their own personal devices is also essential. “You can make the payment of any accrued vacation time, severance packages, or other compensation contingent on complying with this policy,” he adds.
2. Grant access to data on a need-to-know basis
The easiest way to prevent your employees from doing anything untoward with your data is to never give them access to it in the first place. “Give access and permissions to work with data based strictly on job function,” Falcon says. “Limit the scope of what they have access to to the data they need to do their job and no more.” Giving employees limited access—for example, the ability to view a document, but not edit, print, or share it—is a viable option to keep your operation moving and your business secure.
“Every computer and device used in or for your business needs a password,” Falcon says. “Whether that’s the desktop computer, a smart phone, or a tablet—all of these devices need to be protected.” Strong passwords are at least eight characters long, contain upper and lower case letters, and at least one number or special character. “Using a single sign-on system allows your employees to access all of your individual systems by logging on once,” he added. “This makes managing your data easier and more secure.” Passwords should be changed every 60 to 90 days.
4. Consider data wiping tools
Unprotected mobile devices are one of the leading causes of business data loss. “All your employee has to do is forget their smart phone in the cab for you to have a real problem,” Falcon says. If your company needs to comply with HIPAA or SEC regulations, for example, or your customers’ personally identifiable information is on that device, the ability to remotely wipe the data is essential. Check the functionality of the tools you may already be using, such as Google Apps, as data wiping abilities may already be built in.
5. Go to the cloud
Cloud storage is rapidly becoming the gold standard for business data. Because data that is stored in the cloud doesn’t live on any device you or your employees may be using, it doesn’t matter if that device is lost, stolen, or destroyed. No one will be able to access your data without logging into the cloud-based system. Falcon recommends combining cloud storage with a virtual desktop service, such as iDisplay Desktop for Windows or AT&T’s Virtual Desktop, to leave absolutely nothing–not even document files—residing on devices where they can be accessed without your permission.
6. Immediately suspend employee accounts upon termination
When an employee leaves, on good terms or bad, change their passwords immediately. Changing the password prevents your former employee from resetting their password remotely and being able to access your data for their own ends. As the business owner, you may need access to the data that is stored in those accounts, so you don’t want to delete them prematurely.