Privacy is a big concern if you are running a business, regardless of size. All businesses need to keep sensitive information about their customers, staff, associations and potential customers – all of this will contain information that pertains to individuals which could cause them (and you) harm if illegal accessed or divulged. Further the ability (or not) of a company it manage its privacy obligations could have a dramatic impact on the future viability of said business.
One only has to search for ‘data hack’ or ‘privacy leak’ online to see that businesses are effectively under constant assault by hackers to obtain secret information – now some of this is self inflicted when bad practices (or no practices) are evident or the obligation to behave securely has been handed off to a third party the business engages without the appropriate due diligence or awareness of the risks being taken.
So, what are the risks?
First off, there is the risk of public disclosure of what was previously private information, this could lead either to attempts to perform identity theft or cause said individuals loss of face or embarrassment.
Secondly, there could be a serious monetary impact on your business, both through loss of trade as people leave and fines imposed by either governments or trade bodies for not following the law or policies.
Thirdly, your business will have to spend a fair amount of time and effort securing the systems and ensuring the data they hold has not been corrupted. You cannot just seal the breach and carry on as if nothing happened.
So, how as a business are you meant to be able to trade without having to keep a constant eye out for the hacker attempting to steal your privacy sensitive data? There are a few simple techniques:
#1 Divide and Protect
If you put all your sensitive data into one system, then the hackers need to only break into that one system to ‘own everything’. Obvious, yes – but most people think that having multiple systems with distinct pools of data is more risky. Well it comes down to understanding human nature and how technology works (or doesn’t). If all your data is put into one system, not only does that system have to be secure 24×7 in all eventualities – it’s making a massive ‘bag of gold’ for the hackers to target; which makes it all the more likely that the system is going to hacked as the reward is that much higher. Conversely, if your sensitive data is sensibly distributed across appropriate systems; it makes the reward from hacking any one system that much less.
Note: This of course means you need to secure more systems, but you should have a security framework in place that can be applied across the set with appropriate access controls.
#2 Encrypt at Rest
Privacy Sensitive data we always reckon should be encrypted at rest. Given most of such data is not ‘indexed’ directly as such (say names, addresses, telephone numbers, etc) this will even allow you to do such encryption at the application level. You can do such encryption at the hardware level if you wish, but this still means the database which sits on top is manipulating decrypted content – so if that is hacked, they have the data. Hardware encryption only protects you against someone running off with the hard drive; which could be appropriate if that data is actually on a laptop (which has its own problems…).
#3 Restrict Access to Need to Knows
Only those whose job function requires access to Privacy Sensitive data should have access. This will often mean a reworking of the roles and responsibilities to support this directly. Idea being by reducing who has access you reduce the risk of both accidental and deliberate disclosure.
#4 Note Who Accessed What
Nothing better puts people off doing anything illegal if they know they are being monitored and their actions recorded. Embed this functionality into your security framework.
#5 Make Data Security a Shared Problem
Your staff as much as your security dedicated staff are at the ‘front line’ of protecting the data in your systems; ensure they get appropriate awareness training of the common techniques used by hackers to obtain access to secured data. It’s not all about hacking the computers directly, this day and age is it often easier to get your staff to reveal information by what is called ‘social engineering’.
We hope this has given you an indication of what is required to improve your business Privacy security. If you would like to know more, please get in touch.