Estimated Reading Time: 5 Minutes
As more and more major data breaches are announced, it’s not surprising that consumers are left wondering “how does this keep happening?” Which is a fair question. But businesses like yours should be asking the more important question: what exactly are you doing to protect consumer’s personally identifiable information from data leaks, breaches, and unauthorized use/access? As we’ve learned from other major data breaches, the immediate damage of those attacks, on the surface, appear to be strictly monetary; however, there are much larger, long-lasting effects which can wreak additional havoc on businesses. According to a Forbes Insights report, 46% of companies suffered damage to their reputation and brand value because of a cybersecurity breach.
At Generali Global Assistance (GGA), we believe it’s important that organizations only ask for and collect the data that’s essential to run the business – and exclude the data that is just “nice to have.” The more data you collect, the bigger the responsibility is around how you’re protecting it from being exposed to the wrong people – hackers and unauthorized employees.
Since October is National Cybersecurity Awareness Month, now is the perfect time to share a few key steps your company can take to better protect your customers’ data from getting into the wrong hands.
Take Inventory of Existing Data
Before collecting any additional data, it’s extremely important to take stock of what data you already have on file, be it digital files on employee’s laptops/computers, flash drives, mobile devices, or hard documents in cabinet filing drawers. Additionally, take a moment in this process to map out how your company receives consumer data (i.e. company website, third-party vendors, social media, etc.), as well as how it is stored. As we’ve come to learn, different types of data presents varying types of risks, so how your business collects and stores consumer’s sensitive information like their social security number, mailing address, personal telephone number, and the like, is critical to the success of this process.
To begin, create a secure living spreadsheet or document with columns for each area of interest:
- The types of data currently being collected
- Where each piece of data is stored
- Who has access to that particular piece of data (list of all employees, vendors, etc.)
- Who manages and owns that data
- Where the data is being used
- How the data is being protected (i.e. on the cloud, third-party vendor, secure server)
As you go through this process, it’s important to highlight and take note of the areas where security can be strengthened, as well as the areas where un-utilized data is being collected. This will help organize your findings in advance of the next few steps outlined below.
Secure And/Or Discard Personally Identifiable Data
After you’ve finished taking inventory, the next step in this process is simple: Keep what you need, discard what you don’t. One man’s trash is another man’s treasure, so for the data you’ve determined needs to be discarded, make sure it’s properly disposed and cannot be accessed again by following a few key steps:
- Shred all unnecessary paper records before discarding it, and make sure there are securely locked shredders available and easily located throughout your office. After the documents have been shredded, consider using a service to discard all shredded documents.
- Use a utility wipe program to securely erase all data from old/unused computers and laptops.
- Confirm if the data you’re looking to dispose of is a customer’s credit report. If it is, you may be subject to the FTC’s Disposal Rule.
For the data you’ve determined will be kept, create the proper procedures and protocols to safely and adequately secure it from all unauthorized access/exposure.
- Store all paper documents in a locked room or in a locked file cabinet, and limit employee access to only those who absolutely have a legitimate business need.
- Regularly run anti-malware on all business computers, and make sure the anti-malware software your business uses is up-to-date.
- Identify all devices where sensitive data is stored, and access each device’s vulnerabilities to known cyber-attacks.
Whether your business stores sensitive data physically (paper documents, thumb drives, hard drive backups) or digitally (on the cloud, private digital network, computer, etc.), it’s important to consider all the ways someone could potentially access that data, and what the ramifications would be if that data was exposed. There’s a lot someone with ill intentions can do with just your customer’s cell phone number, so be sure that every piece of data that is being collected, has the appropriate security measures in place to protect it from those bad actors.
Create a Plan to Store and Secure Collected Data
Once you’ve determined the data you want to keep versus the data that needs to be discarded, the next step is to create a clear and detailed plan of action around data security measures moving forward. This plan should address items such as:
- New sources of data (i.e. new software, vendors, web forms, etc.)
- Employee education on known fraud attacks such as phishing, malware, and robocalls
- What to do in case of a data breach/leak
- The types of data your business has decided not to ever collect
Create a plan that is not only manageable, but one that addresses current and future cybersecurity and identity theft concerns.
Be Transparent in the Marketplace
At GGA, we also believe in being transparent with our clients and customers about how we’re storing and protecting their data. How do we keep their data safe? GGA employs a three-pronged framework in data security: our employees, building, and data center. And if you haven’t had a chance yet, check out our blog, “Three Layers of Data Security: Our Mission to Keep Your Data Safe,” for a deeper dive into how we are protecting our clients’ and customers’ data from the inside out.
For a more in-depth take on how to protect your customer’s data, check out the FTC’s detailed guide on protecting consumer’s personal information. And if you’re interested in learning how GGA can help protect your customer’s from identity theft and fraud, contact our sales team today.