Business Data: Higher Stakes Protection

Businesses, even the smallest ones, keep a wealth of sensitive data on-hand. And, if having one Social Security number stolen is bad, how bad is it to have every employee who works for you, or has ever worked for you, compromised? Or what about banking information for every customer you’ve ever serviced? This kind of scenario is incredibly damaging for large companies, and for a small one, it could mean the end of operations.

Identifying the Risks

Small businesses don’t practice identity protection, but data protection, a much more comprehensive activity that involves many of the same measures. Businesses have all the same problems that individuals do when protecting their vital information, along with an important additional factor: employees with access. Whenever a business has any employees at all, chances are they have access to data, often at multiple points (e.g., laptops, office computers, paper files, etc).

Before writing any data protection strategy, you must first inventory the data you have—once you know where it is, you can go about securing those locations. Identify all computers, portable drives, discs, cell phones, and physical files, along with what data resides in each. Then pinpoint which employees have access at each point. Does the sales team keep customer data in their Blackberries? Do you keep old customer files in a storage facility, the keys to which hang on a hook over your desk?

Done correctly, this task is time-consuming and difficult. You will need to identify every access point, who has right to use at each point, and what steps need to be taken at each to protect the information there. But once it is done, your data will be as safe as it can be.

Keep Your Data Lean

Once you understand where your vital data is, the next step is deciding how much of it you need. In most states, you don’t need to keep employee information longer than a year or two; be sure to shred old employee files at your first legal opportunity. Customer payment data—credit card or banking information—is only useful until the customer pays. After that point, you are putting their data and yourself at unnecessary risk. Only keeping what you need gives you less data to protect, thus cutting expenses and helping control costs as well as access.

Lock Down What You Keep

Locking down the filing cabinets is important in a home setting, but it’s non-negotiable in a business environment. Physical documents are the most compromised data in offices, due usually to a lack of effective security. Security in a small business context seems fairly straightforward—just store the information behind a lock, with the keys accessible to as few people as possible. These ideas apply to both physical and electronic security, as you can easily “lock” computers as well as file drawers.

It’s not as simple as locking the doors, however. In any business, employees will be required to unlock them; the fundamental task here is to make sure that they lock up again when they are finished. Requiring employees to log off their computers at the end of work sessions; keeping track of who accesses offsite storage facilities; a sign-in and sign-out system for sensitive files—all of these mechanisms will keep vital data safe.

At root, training your employees in data protection, and conveying how important it is, will provide the best line of defense against data theft. It’s up to you to create a “culture of security” and manage your employees into living it every day.

The Centerpiece: The Plan

Every business is different, from the level of sensitive information they deal with, to the number of employees, to simple location. As such, every small business needs its own security plan, covering five questions: where the security points are, what data needs to be there, how it is to be protected and disposed of (if necessary), and what to do if it does become compromised.

This plan can be simple or quite extensive, but whatever the case it needs to be taken seriously. It requires effort at its creation, as well as continued monitoring as the needs of the business—along with access points, volume of important data, and dozens of other factors—change. Large corporations dedicate millions of dollars and entire security departments to protecting their data. Small businesses must take their information security just as seriously.

See also: credit monitoring