Knowledge is Power

They say that knowledge is power, data and information give one knowledge, and with power comes a tremendous responsibility to protect.  Continuing our conversation from the previous post Phishing Anyone?,  we will dive a little deeper into information and data management and the some of the risk associated with the responsibility to protect.  In this conversation, we will talk about hard copy data as well as electronic data.  The handling of paper files and information tends to get overlooked with the intense focus on securing electronic data.  As such this can be an easy target for a criminal.  We will look at five best practices for handling, storage, and disposal of hard copy sensitive information.  We will then move to protecting electronic data and discuss five best practices for protecting electronic data.  Finally, as I did in the last post, I will provide some resources to further develop your knowledge and understanding. 

Let’s begin with framing the conversation around what information and data need to be protected.  In most cases, we all have a basic understanding of what needs to be protected.  For our conversation, we are going to divide data into three categories:

Confidential Information 

“Confidential Information” is that which has been so designated by statute or by promulgated rule or regulation based on statutory authority.  Examples include Corporate Records relating to pay and the payment of benefits which are considered confidential. 

Privileged Information 

“Privileged Information” is that which is available only to authorized persons and is granted access to by one’s position. This information is not confidential pursuant to the law but is sensitive in nature.  For simplicity in management, privileged information is often subject to the same restrictions as confidential information. 

Personal Information 

“Personal Information” refers to a corporate record that contains a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person:   

(a) Social Security Number (“SSN”);  

(b) Driver’s license number or state-issued identification card number; or 

(c) Financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account.  Personal Information does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 

Through the daily course of business, the use of confidential, privileged and personal information is common.  Creating an awareness and developing processes to manage this information can prevent sensitive information from getting into the hands of criminals.  Below are five best practices for managing hard copy files and data.

1. Personal Information collected, received and stored should not be shared with any unauthorized party. Authorization to access such information is limited to those employees determined to need access to carry out their job responsibilities and such other persons or organizations who are legally entitled to receive such information, such as, auditors, regulators, and outside counsel.  
2. All paper records and data containing personal information should be stored in locked storage areas or containers, and access to such records and data should be limited to authorized persons.
3. Printing, transportation or duplication of personal information must be limited to the greatest extent possible.
4. Each year, inactive paper files should be purged from the active files storage location and placed into archive storage.   Archive storage should be in a locked facility with very limited access.  Unless ample space is available in the general office area, arrangements to store archive documents with a third party such as Iron Mountain can ensure secure storage with limited access.  Third Party archive storage also mitigation the risk of maintaining onsite storage for prolonged periods of time.  
5. Companies should develop an archive data management and destruction policy which outlines the storage requirements for various files and a file destruction process.

Historically, hackers seeking to steal data and money used to target primarily large corporations and government bodies. The focus has now shifted and they now direct quite a bit of attention to hacking small businesses and individuals.  This change is not surprising since larger corporations and governments may offer larger higher bank balances and jackpots of data to steal, they also have both large information-security departments and tighter relationships with law enforcement–lowering the odds of a hacker's success and increasing the chances of them getting caught and imprisoned.

With the new dynamics, it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves.  Here are five best practice recommendations for managing your company’s electronic data.

1. Understand that you are a target. Educating employees and creating a general awareness of the importance of caution and vigilance can be a good defense.  Employees who believe that criminals want to breach their computers and phones act differently than those who don't understand this reality.
2. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
3. Conventional wisdom is to require complex passwords for all systems.  Inevitably, that leads to people writing down passwords or using the same password for multiple log-ins.  The new best practice is to ask employees to select combinations of words, numbers, and proper names (e.g., "investing9goats2Starbucks"), or create a passphrase (“My1dog2is3George”). For extremely sensitive systems, consider stronger forms of authentication such as biometrics or multi-factor authentication.
4. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks. Implement technology to ensure social media does not become a problem.  Do not rely on simply telling people not to make particular types of posts on Facebook or Twitter–history tells us that many people simply do not realize when they are making such posts, and even those who do, may inadvertently leak data when posting from a smartphone that "auto-corrects" a misspelled word to a sensitive, internal term.
5. If your company uses the internet for eCommerce, or if your company falls under state or federal requirements for handling information and data, make sure that you be sure to comply with all regulations. This sounds very basic, but in a world of a myriad of requirements and regulations, electronic data management should be a focus. 

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered. 

National Cyber Security Alliance - The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.

Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

Federal Trade Commission - The FTC, has created a webpage that has information on scams targeting small businesses, and tips to help avoid them. It also includes cybersecurity articles and videos to help small business owners protect the networks and systems and their employees’ and customers’ sensitive data.

Until next time, stay safe and be kind to one another.