I need to keep my customer and employee data safe
Protecting sensitive information about your customers or clients and employees should be a critical concern for your organisation. Essential data such as customer login credentials, payment details, financial records, and anything else related to the personal information you store must always be kept safe and secure.
The rise of online technology and the introduction of GDPR have placed a renewed focus on data protection and keeping the information you hold safe from cybercriminals. The impact of a data breach on your organisation could be significant, in terms of potential fines arising from breaching GDPR requirements, the cost of putting things right following an incident and investigating the cause of the breach, and the reputational damage your organisation could suffer. However, there are some simple steps you can take to develop a robust data protection strategy, bolster your ICT security and mitigate the risks of a potential data breach to your organisation.
The key data protection challenges
Most organisations create, collect, process and store data about their customers and their employees.
In the wrong hands, this sensitive information can be extremely valuable in helping hackers and cybercriminals to commit complex fraud and financial crime. More stringent legislation was introduced in the form of GDPR, which places greater responsibility on organisations which collect data to process and store it safely and securely. Hefty fines can be levied on organisations which don’t comply.
A 2018 report by IBM estimated that the average UK data breach costs £2.7m, with each lost or stolen data record costing £110. So, the financial implications of a data breach on your organisation are clear – if you don’t protect your data correctly, it could end up costing a lot of money. However, protecting your data is sometimes not as straightforward as it sounds. There are several things to consider before developing an effective data protection strategy, for instance:
What data do you hold?
Do you know what data your organisation has, how it is collected or created and where it is stored? Establishing this should be your starting point, as if you don’t know what you are meant to be protecting, you can’t defend it. You need to know what data you hold – including contact details, financial information and any other personal data – along with how you obtained it. It’s also essential to ensure you have customer consent regarding its use.
Where do you store your data?
Is it kept on-premise or in the cloud? Is your storage encrypted? How do you access your data, and who has access to it? Establishing this will help you identify and mitigate any potential risks to your data security. When it comes to data storage, this should be encrypted to prevent it from being accessed if it is lost or stolen. It’s also important to use storage systems that encrypt data both in-transit (i.e. moving from one location to another across a data connection such as the internet) and at rest (i.e. where it is stored).
Data backup and recovery?
How would your organisation access your data in an emergency? Is it copied or backed up anywhere and if so, are the backups secure? Can you restore your data if it becomes lost or corrupted? A robust backup and recovery plan will help ensure you always have access to your data when you need it.
Not everyone in your organisation will need access to your data, so make sure that you limit access to only the people who need it. This can be done by allowing different levels of security for different staff to ensure they can access only the information they need. It’s also essential to ensure that all staff who deal with sensitive data are aware of the importance of keeping it safe, and the potential security risks. Also, make sure that they aren’t allowed to copy or save data on personal computers or devices.
GDPR sets strict stipulations for organisations in terms of the data they hold, who can access it, how long they can keep it for and what they must do once they no longer need it. So, it’s important to know what your obligations are so you can assess how you are meeting them and identify any gaps which need to be addressed. If you don’t have the in-house expertise to manage this, working with an external ICT consultant with experience in ICT and data security is essential. They will be able to provide your organisation with the technical leadership required to ensure you comply with all relevant data protection legislation.
Data protection best practice
As part of your organisation’s data security strategy, there are a few key steps your organisation should bear in mind when it comes to best practice. As mentioned earlier, identifying what data you hold is key. However, once you have done so, it’s just as important to identify which data contains personally identifiable information, as this is what you’ll need to keep secure to ensure compliance. You’ll need an organisational lead who is effectively the responsible owner of the data your organisation holds, and this person and the role they hold should be documented within your strategy.
You should also define your retention policies, data marking policies, and access control policies, along with your procedures for reporting breaches and other security incidents.
Once these have been defined, you’ll need to identify what retention policy, access controls, and sensitivity markings should be applied to particular groups of data. These controls can then be applied as required, and subject to ongoing monitoring and assessment to ensure their continued effectiveness.
Find out more
AMDH Services Ltd has a wealth of experience in developing and implementing data protection strategies and solutions. We can help your organisation identify and mitigate your risks, recommending the technologies and security options which will deliver the best return on investment. We can also provide you with the best technical expertise at the right cost to enhance the overall value of your investment in our services. To find out more, get in touch for an informal chat and a free consultation.