Protecting your online ‘crop’ of information

There is no shortage of acronyms to set your head spinning when the subject of data security and privacy comes up. There’s GLBA or FCRA, PCI DSS or PA DSS, NIST or ISO. But the reality is that no matter how complex or simple your product, any business that interacts with its customers, vendors or employees is in the same business that farmers have been playing for centuries—cultivating a valuable crop and protecting it.

Think of data like an apple, and your systems and networks like an orchard. You grow, cultivate and harvest the apples, which are then processed into end products or services. And just as farmers must protect their orchards from thieves, blights, pests and disasters, you must protect your data. Protecting your “orchard” of data is cybersecurity.

Here are 10 key factors to remember to protect your crop of data:

1. Take an inventory (i.e., security audit). If you don’t know what data you have and where it is, you can’t protect it. On a regular schedule, audit your entire IT infrastructure—computers, network and mobile devices—to determine what you have, where it is and how it is stored and accessed. Include audits of access permissions, data location and physical, administrative and technical security policies. Be certain to note which data may be subject to special protections, such as medical, credit card or banking data.

2. Account for the human element. Vigilant employees can be your first line of defense when it comes to ensuring that human error and social engineering tactics, such as phishing, spoofing or spear phishing, are minimized. They are also the canaries in the coal mine and the best chance of spotting suspicious activity early.

3. Have security policies, security training and self-tests. Relying on employees only works if you do the legwork first—have clear and simple policies that provide employees with the information and tools they need to play their part in security. Conduct regular training to make sure employees know what the policies require. And set aside a few hours of IT time per month to test whether employees and systems actually reflect what you establish in the security policies.

4. Use strong and multiple passwords. Simple passwords are a hacker’s best friend. Strong, complex passwords protect against simple attacks such as “dictionary attacks.” Better yet, use complex password-generator programs.

5. Encrypt your data. Encryption can protect data that leaves your system, is stolen or is in transit. Use at least industry-standard encryption levels appropriate to your industry.

6. Back up and infrastructure. Ensure your data is properly backed up, and test the backup to ensure that your data can be recovered when you need it. A disaster recovery plan not only helps keep customers happy and revenue flowing by avoiding business interruptions, it is an essential first step to mitigating and remediating any security incident. Your business cannot respond effectively to a data breach unless it is in a position to identify the scope and severity of the incident by recovering your system to its optimal state.

7. Protect your mobile workforce. Mobile devices are operating “in the open” on your customers’ networks, public networks at coffee shops or free networks in the park. Ensure that mobile devices have security applications and meet minimum password and access technologies. Maintain the right to “wipe” all employee devices as a condition of employment.

8. Implement a multiple-security-technology solution. Have multiple layers of security technology on all of your devices (including desktop, mobile device, file server, mail server and network end point) to block attacks on different layers of your network.

9. Collect only what you need. Always collect only what you have a legitimate use for. The more information you have, the bigger the risk. Never use sensitive information such as Social Security numbers for customer identification. Delete personal information as soon as your business need is done.

10. Use your privacy policy. A good privacy policy tells customers what you will and won’t do with their data, elicits the necessary consents and limits your liability for any use for which you have permission.

Many of the above steps can be done in-house or on a modest budget. No matter the size of your business, when it comes to cybersecurity, an ounce of prevention is worth a pound of cure.

Gregory A. Brower, Ian V. O’Neill and Sarah Auchterlonie are shareholders at Brownstein Hyatt Farber Schreck.