For instance, you might need to protect personal information about your customers, such as their names, Social Security numbers, and credit card information. [2] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source On the other hand, you might be more concerned with limiting access to certain processes or formulas that give you an edge over your competitors, known as trade secrets. This might include formulas or manufacturing processes, your company’s financial model, lists of your suppliers, acquisition information, or your sales methods. [3] X Research source When you’re evaluating what information to classify as sensitive, also consider how long you’ll need to retain that information. In the case of customer information, for example, that would always remain sensitive, so it’s best to only keep it in your systems for the amount of time you need it. [4] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source
For instance, your company might face threats from hackers, unscrupulous competitors, or even employees who unintentionally share secure information.
If you label too much information as sensitive, employees will likely find workarounds for security protocol as a way to access the data they need.
For example, if your company offers financial services like cashing checks or making loans, the Gramm-Leach-Bliley Act requires you to protect all nonpublic personal information, including consumers’ names, addresses, payment history, or information you obtain from consumer reports. [8] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source If you’re an employee of the company, also make it a point to be aware of the organization’s rules on how to handle sensitive information. Consider reaching out to an attorney who specializes in corporate law to be sure you’re legally protected.
For instance, you might have annual security training, then send an email if any of your security processes are changed are updated. You might also put up signage at each of your company’s locations to keep security at the forefront of your employees’ minds. Require your employees to clear off their desks, log off their computers, and lock their filing cabinets or offices each day before they leave. Encourage your employees to report possible data breaches. You might even create an incentive program to reward employees who bring an issue to your attention!
For instance, if an email seems suspicious, the recipient should carefully check the domain that the email was sent from. Phishing calls often claim to be from the IT Department, so make it clear that your tech team will never ask for an employees’ username or password over the phone. Employees who receive calls from customers should have a process for verifying a clients’ info before discussing any account information over the phone.
Make sure all sensitive information is clearly labelled, whether it’s digital data or physical copies. [13] X Research source Include how individual employees should handle data they have access to, including not keeping sensitive paperwork on their desks. This is known as a clean desk policy. [14] X Research source
Do not allow employees to remove sensitive data from company buildings, including taking laptops home or sending emails that contain protected information.
Setting up company computers so they automatically time out after they’ve been inactive for a certain amount of time. Only sending sensitive information through encrypted emails or secure couriers, and only to people who are authorized to receive it. [18] X Research source Always using secure printing. Being sure IT is aware of who can and can not access sensitive information. Applying the same security measures to employees who work from home. [19] X Research source
Similarly, avoid the amount of secure data employees can access from their phones or tablets. Install a remote wipe facility on laptops and other devices. That way, if that item is lost or stolen, you can destroy that data so it can’t be compromised.
For instance, you might use a private conference room with soundproof walls.
If you have to gather sensitive information—like a credit card number—consider having it wiped from your system as soon as you’re finished processing the transaction. Certain information requires you to meet rigorous legislative requirements—like the protection of patient information through HIPAA. Failing to meet those requirements can result in hefty fines, so if you don’t need to handle or store it, it’s best to avoid it altogether. [23] X Research source
For instance, if there’s a widespread power outage, understand whether your digital data would be more vulnerable to hacking. If so, take steps to eliminate that risk. [25] X Research source
Monitor the traffic on your system, especially if large amounts of data is being transmitted to or from your system. [26] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source In addition, watch for multiple log-in attempts from new users or unknown computers, as this could be a potential indicator that someone is trying to access secure data.
Make sure the term for the NDA is sufficiently long enough to protect you even after the employee leaves the company. [28] X Research source
Explain to each employee that maintaining data security is a part of their job description. Talk through any relevant laws and internal policy documents. [30] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source Remember, this should include all employees, including workers at satellite offices and seasonal or temporary help. [31] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source
Have IT revoke all of their security authorizations and passwords, as well. [34] X Research source
It’s a good idea to use the wording “all non-public information” in these clauses—that way, you don’t have to label every single piece of sensitive data. You may also need to have your service providers sign NDAs if they’ll be privy to sensitive information. [36] X Research source
In addition, make sure that information is only shared securely, like over encrypted networks or in private meetings. [38] X Research source Regularly review the credentials and access given to your third parties, and make sure you know exactly who is using them.
For instance, if a representative from your supplier will be touring your facility and they might get a glimpse of a non-public manufacturing process, it would be a good idea to have them sign an NDA.
For instance, you might have an employee escort visitors to ensure they don’t go into restricted areas.
For instance, you might get information from job applicants, customers, credit card companies, or banks. That information might enter your business through your website, email, the mail, cash registers, or your accounting department.
Ensure all paperwork is stored in locked filing cabinets, and that access is only given to authorized employees who legitimately need that information. [43] X Research source In addition to securing your on-site digital data, ensure that all cloud storage uses multi-factor authentication and encryption. [44] X Research source
Use secure servers, including cloud storage. Encrypt (or hash) client passwords. Regularly update passwords. [46] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source Keep security software up-to-date. [47] X Trustworthy Source Federal Trade Commission Independent U. S. government agency focused on consumer protection Go to source Be aware of software vulnerabilities. Control USB access. Back up information in a secure place.
Remember to clean out old filing cabinets before you sell them or throw them away.
You can also use a third-party data wiping program to be sure that files you routinely delete are erased from devices. [50] X Research source
