Developing Your Company’s Data Protection Plan (+ infographic with some ideas to get you started)

According to Statista, cyber incidents (cybercrime, IT failure/outage, data breaches) are the leading risk to small businesses. Businesses of all sizes should plan for these cybercrime risks by developing a Data Protection Plan.

We interviewed cybersecurity expert Matthew Weber to learn best practices for small businesses preparing their plans. He advised:

 "Every size business could be at risk for a data attack. All businesses have valuable data that could be compromised, including email addresses. Your business may not be the target but a platform to get to others.”

The time to put together your Data Protection Plan is now. Please do not wait and schedule it for a 2023 project. The first task on your data protection checklist should be multi-factor authentication, such as DUO. Any platform will work. The key is to implement it as soon as possible. The Verizon 2021 Data Breach Investigations Report (DBIR) stated 61% of data attacks were related to credentials. These scenarios could have been prevented with multi-factor authentication.”

The 2021 Verizon DBIR, a comprehensive research report leveraged by cybersecurity professionals, includes more than 79,000 cybersecurity incidents and 5,200 breaches. The study revealed “85% of breaches involve the human element, 36% involved phishing (11% higher than the previous year), and 10% involved ransomware (double from the previous year).” 

The DBIR study also showed facts to consider when comparing on-premises IT assets with external cloud-based solutions:

Why is there a significant shift? Cloud-based hosting is secure; however, more businesses are moving to cloud-based hosting, attacks on cloud-based assets are increasing, and increased demand is outpacing supply for cloud security professionals. 

Regardless of these figures, Mr. Weber advised small businesses to consider putting their entire infrastructure in a cloud-based environment like AWS, Azure, or Google. These platforms include built-in security features and provide access to Security Advisors who can help implement security settings for maximum protection. It is essential to do your research and continue to monitor the actions of your cloud provider to ensure they are providing the best possible protection.

When we asked him for other tips, he suggested the following advice for data owners on a data governance team (individuals responsible for ensuring that information within a specific data domain is governed across systems and lines of business):

• Use multi-factor authentication. Yes, this advice is repeated because this is the #1 task for your Priority 1 list.

• Review user configurations periodically.

• Review your cybersecurity insurance readiness requirements. 

• Remember that cybersecurity insurance will not fully cover the impacts of a data breach.

• Studies have shown that 85% of those previously breached will get breached again. Why? Because the loophole that caused it in the first place was not addressed and closed. If you have been breached, take action today to close the loophole immediately.

• If you need the inspiration to move your cybersecurity plan to the top priority of your list, review the Solarwinds breach case study.

• Keep current on the news. Security experts will share their recommendations in the media and advise where potential data attacks may originate.

Your data owner ensures that a Data Protection Plan is established, communicated to the team, adhered to, and modified as data privacy and security threats emerge. They should review and incorporate this advice to fully protect your business and client data as if it were their own.

In addition to establishing your company's Data Protection Plan, your Data Governance owner should:

• Develop a training plan and checklists to avoid errors such as missed software security patches, data center security holes, or granting improperly vetted partners with data access.

• Research and confirm that external partners and 3rd party tools/software are protecting your business data, so you know that your customer data is in safe hands.

• Establish policies to review network configuration and remove users who no longer need access.

• Set up guest WiFi separate from employee WiFi access so guests, temporary workers, and contractors have limited access to employee resources.

• Establish a data recovery plan to bring your business back online quickly in the case of a data breach. 

Mr. Weber also recommended following security best practices for your personal and business devices.

• Set up multi-factor authentication.

• Use strong passwords and store them in your browser. Don't write them down or enter them in a spreadsheet. Consider a tool like 1Password to store all your passwords securely and access across all your devices. 

• Don't store passwords to financial sites on your computer. Consider keeping those in a safe.

• Don't use your email as your username. If you have to, set up an email that doesn't have elements of your personal information.

• Don't store your bank or credit card information in profiles or ask your users to do it on your site.

• Don't provide log in with another app (i.e., log in with Facebook). It may be convenient for users, but you can remind them that taking the extra step helps protect their data.

• Explore setting up alias emails that forward to your primary email.

• Create disposable numbers using a tool like Google Voice.

• Use a VPN like ExpressVPN to mask your IP/location and encrypt your web browsing session. This is strongly recommended for "free WiFi" locations, high-risk scenarios for data attacks.

• Enable strong junk mail filters.

• Use 6-digit instead of 4-digit passcodes. These are harder to guess.

• Password protect your files.

• Don't click on links directly; go to the website instead to search for the content.

• Confirm that your anti-virus solution includes ransomware detection.

• Use a search engine like DuckDuckGo and a browser like Brave to increase your security and privacy.

In addition to security, businesses should include provisions in their Data Protection Plan to guarantee customer privacy. It is critical to become familiar with the privacy laws that apply to your business. GDPR protects EU citizens, and the United States has followed its example. California was the first US state to establish a Consumer Privacy Act. Other states (Virginia, New York, Massachusetts, Maryland, and Hawaii) are working to enact similar laws. Below are recommendations to include in your data privacy plan:

• Have a lawyer review your Terms & Conditions and Privacy statements

• Terms & Conditions statements tend to be quite lengthy. Provide a short, easy-to-read statement summarizing how you protect their data and privacy.

• Request the minimum amount of data required for your transaction. If you do not need a user's birthday to process their transaction, don't ask for it.

• Ensure that PII is encrypted so your audience cannot be personally identified by viewing their record in your database.

• Although it may not be required by law, provide the ability for people to submit a written request to remove your data from their system. Knowing that you would be willing to remove their data from your system can go a long way in building trust. And when you receive the request, make sure to respond quickly and show evidence that their record has been deleted.

• Similarly, provide the ability for people to submit a written request to see their data. Some companies offer this on their website and allow users to delete their own data.

• Think about where you are having your meetings and the devices that are listening. As this Statista study points out, digital assistants like Apple Siri, Google Assistant, and Amazon Alexa collected personal data for their teams to analyze without consent. Be cautious when having conversations about someone else's business and avoid discussing client information in public areas such as cafes or trains.

Building a Data Protection Plan takes time and careful planning, but is well worth the effort for your valuable clients. Your plan should include:

• Data governance (teams protecting your data)

• Privacy policies (only collect the personal information needed for a transaction, don't use personal information for a purpose other than the one the client agreed to, and ensure clients cannot be identified by the personal information stored in your system), and 

• Security policies (physically protecting client data from unauthorized access)

 As Mr. Weber advises, starting your Data Protection Plan today (rather than putting it on next year's roadmap) is essential for protecting your business and your customers.

If you liked this blog, you might also like…