Data Security Protocols: The Policies You Need and How to Enforce Them by Chris Turpin

According to the 2015 Cost of Data Breach Study, the average cost of each stolen record is $154 ($68 in the public sector).1 Those costs add up to an average consolidated total cost of $3.8 million, which is why one of our recent blog posts outlined broad considerations when it comes to keeping your data secure.  We talked about using technology to remain vigilant, continuously monitoring, educating your employees, and backing up your data.  We also touched on the importance of enforcing protocols.  In raising that topic, I realized that it deserved a deeper dive. 

When many business owners think about data security, they typically worry about outside threats, from someone hacking into your servers to a sophisticated cybersecurity attack that leads to a breach so large it makes headlines.  In reality, your organization likely faces more threats from within its own walls – so ensuring that your employees are properly trained and that all existing protocols are actively enforced is key

What do you need to protect against?

According to PricewaterhouseCoopers’ US State of Cybercrime Survey, more than one in four enterprise data security incidents come from inside.  Luckily, there are simple steps your organization can take to prevent a security breach:

  • Protect against weak access policies:  Your employees should only have access to the systems and data they need to access to do their job.  If an employee accidentally accesses a server full of confidential documents with sensitive customer data, like social security numbers, that employee now has a cached copy of that document on their personal workstation, which gives hackers another way to access sensitive data.  Make sure your system has a strict access policy with folders that are inaccessible by default until a system admin grants permission to a specific employee

  • Protect against insider malice:  It’s not pleasant to think about, but most malicious insider attacks happen 30 days before and following an employee’s last day.  If an employee still has an email or VPN login that still works after packing up his or her desk, your data is at risk.  Use common sense here, and remove employee access to email servers, VPN, and other company resources as soon as they leave.  You may also want to block access to USB ports to not only prevent intentional data theft, but to prevent unintentional leaks by employees who aren’t as knowledgeable about proper enterprise data security precautions

  • Protect against bad passwords:  According to Bloomberg Business, it only takes ten minutes to crack a six-letter password that’s made up of only lowercase letters.  All it takes is one employee with a password like “123123” or “soccer” to give a hacker easy access to your company’s valuable data.  So make sure you have a strong and well-enforced password policy that prompts employees to change passwords every three months at the very least – and that ensures that passwords have at least nine characters, a proper mix of letters, numbers, and symbols, and a combination of uppercase and lowercase letters

  • Protect against unsafe downloads:  Anything an employee downloads can become a security threat.  What an employee thinks is a harmless app could be virus-laden or tied to a pirating website.  Run a virus scan daily and back up data every time your employees leave work at the end of the day.  Also be sure to block network access to torrent sites and do not allow employees to download programs on their own without permission from IT.  Education is key here – just clicking on a link in an email could lead to a virus that compromises your entire network, so educate your employees not to click on links in emails unless they are absolutely sure of the source

Security protocols are pointless if you don’t enforce them

These tips don’t mean much if you don’t use them and enforce them.  Establish and enforce rules requiring strong, hard-to-guess user IDs and passwords.  Forbid the use of the same passwords, and require periodic changes of user credentials.  Spell out your company’s policies on access and downloads.  Make sure all policies are formalized, on paper, and signed off on by all employees and contractors. 

Designing and implementing an employee-training program is also a standard industry practice to ensure that all employees understand and manage their own privacy and data security safeguards.  Once employees are adequately trained and have signed off on your policies, it’s your job to make sure that any failures in compliance are documented, reported, and addressed.  When employees truly understand what is at stake when it comes to data security, they’ll be more likely to comply with the protocols you put in place.

From there, it’s all about ensuring reasonable oversight of security practices and enforcing protocols when employees do not comply.  Monitor and filter both outbound traffic and outgoing transmissions to identify and block unauthorized disclosures of sensitive information.  Warnings are fine, but if an employee violates protocol, record and retain information about the incident, and take action when necessary.  Your data – and the company as a whole – will thank you. 

Sources:
IBM and Ponemon Institute 2015 Cost of Data Breach study, http://www-03.ibm.com/security/data-breach/?cm_mc_uid=36145611266314428491256&cm_mc_sid_50200000=1442849125

Chris Turpin, Suntiva Director, has more than 25 years’ experience in IT, management, and consulting. He has been a key leader in developing Suntiva’s IT capabilities and service lines, and prior to joining Suntiva, he held senior IT director, infrastructure, and application development positions. Chris is a certified Project Management Professional (PMP) and holds a Bachelor of Science in Public Administration from George Mason University, a Masters Certificate in Project Management from George Washington University, and a Certificate for Computer Programming.

About Suntiva:
Suntiva is a management and performance consulting company located in Falls Church, VA that focuses on supporting federal government agencies. Suntiva provides services that enable agencies to plan, deliver and oversee IT programs, improve organization performance, develop their employees, validate program results, and manage the acquisition lifecycle. Suntiva makes organizations, programs, and employees measurably successful—by solving critical challenges with great minds and great hearts.

Share this post