10 critical elements of data protection

As concerns over the environment grow ever stronger, it’s only natural that businesses turn to technology for storing information. But much like hard copies of personal information should be kept under literal lock and key, so must digital data be protected.

Businesses most commonly store personnel records, customer details, loyalty program details, financial information, and payment details. Being proactive and taking steps to secure this information can help protect your company, its customers, and reduce the risk of liability. The following are 10-elements you may wish to consider when taking steps to increase your company’s security position;

1. Establish a team for information security and privacy

If possible, have the members of your executive team involved to show commitment to staff. If you run a small company, you may think you do not need a dedicated individual for information security however smaller companies are equally as vulnerable to security breaches as larger ones. If you already have an IT team, it may be overwhelmed with other responsibilities leaving them with no time to devote to this area. A dedicated individual or better yet, a team can support all staff and raise awareness throughout your company.

2. Complete an inventory of your systems and data

Knowing what your business houses for equipment as well as the software and systems your employees use can help you determine the safeguards that may be needed to protect your company’s data. 

3. Conduct a Data Protection Impact Assessment (PIA)

A PIA is a process used in identifying and mitigating any data protection related risks which may affect your organization or clients you engage with and can help you implement solutions to overcome those risks. Keep in mind that not all risks can be eliminated. Start by asking yourself the question, “What would happen if?” Would your business be prepared for the outcome? 

4. Assess your security position

Get to know your vulnerabilities and use online tools to scan systems for threats and information related to browser versions. Complete any needed updates as oftentimes they include security updates which can help protect your system.

5. Develop security policies and procedures

It’s important to develop a company-wide policy on data security. Your policy and procedures can include such things such as;

• Addressing whether or not employees are permitted to use their own equipment (computers, cell phones etc.) vs. company owned equipment for work related purposes
   
• Steps for employees to take when they feel they have been a target of fraud that can impact the company.
   
• The procedure for when an employee leaves the company or is terminated. For example; when they are being terminated, another employee is deactivating their accounts and denying them access to any systems.

6. Use necessary security technologies like password managers

Password managers can allow you to save passwords securely either on a cloud or on your computer. They allow you to create random combinations of passwords making it extremely hard for fraudsters to figure out.

7. Conduct user awareness training and testing

Train staff on phishing and how to protect themselves online. Phishing is a term used for the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by someone disguised as a trustworthy source in an electronic communication.

8. Assess all of your third-party vendors

Ensure that the companies you are dealing with are taking all necessary measures to protect you and your customers.  Complete a risk assessment and request to speak with their security team if needed.

9. Develop incident response and disaster recovery plans

Implement an action plan that addresses necessary steps to take in the event of a security breach. The plan should include a strategy to ensure that all critical information is backed up as well as a list of all important software applications and the hardware required for them to run.

10. Develop and monitor a formal system for ensuring continued compliance

It’s important to review your policies and procedures with your staff on a regular basis, updating them on any changes.  Practicing your incident response and disaster recovery plans can help mitigate any unnecessary surprises during an actual emergency situation and allow you to proactively correct any issues in advance of what may be a stressful situation.

More information on protecting information can be found on our web-post Privacy laws in Canada: How do the rules affect your business? You can also contact your CFIB Business Counsellor at 1-888-234-2232 or by e-mail at cfib@cfib.ca