In a previous blog, we talked about some of the big mistakes small businesses make regarding keeping their data secure. With even some big-name companies seeing major data breaches in recent months, data security is an important topic.
If you’re not sure where to start, we’ve got some best practices that should form the foundation of your data protection policy:
1. Assess and update your current security practices
How many people in your company have access to sensitive customer information?
The more people who have that access, the higher the potential for human error. You also need to make sure your whole team is on the same page when it comes to your data security policies.
Your first step, then, is to limit how many of your employees have high-level administrative access to your customer data. Also, have a policy in place that tracks when and how those employees use that information to avoid costly mistakes or data leaks.
You also need a clear, well documented data security policy that applies company-wide. We’ll discuss how to come up with that policy in a future post, but in general, you need to set standards for who can access information, when, and how that information is used. Having this policy in writing and integrating it with your overall business operations will take all guesswork out of it for your team.
2. Use ‘Least User Access’
A Least User Access policy means that employees only have access to the data they need to have in order to do their jobs. This limits the potential for human error and data leaks, along with the number of people who have sensitive customer data at their fingertips.
One example: an employee in marketing that just needs demographic data doesn’t need to have access to specific customer data like accounts and payment information. Creating tiers of information with different access levels provides an added level of security. Non-essential employees who may not be as familiar with security protocols won’t have the chance to make mistakes with this data.
3. Adopt company-wide password management policies
User accounts and their often weak passwords are a key point of entry for data thieves, so make sure they’re well-locked down.
Require that all of your employees use strong passwords – a general rule of thumb is at least eight characters including both letters and numbers. Ideally, the software you use should require strong passwords when users create their accounts. You’ll also need to educate your employees on the importance of keeping passwords safe.
Another area to look at is external vendor logins. Are your employees using the same login on those external systems as they are for your internal software? That’s also an area of concern – a vendor whose system gets hacked could unwittingly open your own system to the hackers. Require your employees to create separate logins with unique passwords for every external system they access.
When an employee leaves your company, part of your exit policy should include removing that worker’s logins immediately. You should also perform regular audits in case any inactive accounts slip through the cracks.
4. Use email authentication
Phishing and spoofed emails have become a major headache for consumers and companies alike. Data thieves have gotten very adept at creating fake emails that look like they came from a legitimate company.
In addition, these hackers can create websites that look identical to legitimate business websites, even mimicking the legitimate URL. Unsuspecting customers enter their logins to these fake sites, handing their information over to hackers without realizing it.
You can protect against this problem by using an email authenticator. Your email service provider should provide authentication service.
5. Use the right server certificate
SSL certificates are now all but a requirement for doing business online – but are you using the right kind of certificate?
There are three types of server certificate. The first is the Domain Validated (DV) certificate. This is a far less secure certificate, since it only validates that you’re allowed to use your domain name. It lets visitors know that they’re on your actual, legitimate website, but doesn’t provide a lot of security beyond that.
An Organization Validated (OV) certificate requires a little more information from you about your company; this information is provided to visitors of your website when they click on your secure site seal. This information provides trust by showing who owns the domain and who’s behind the website.
The most secure type is the Extended Validation (EV) certificate. Before issuing an EV, the certificate authority conducts a thorough vetting process. They’ll verify your company’s legal, physical, and operational existence, that your company identity matches official records, and that you have the exclusive right to use your domain.
This extra vetting delivers a much stronger level of security and trust for your customers, and is well worth the investment.
Bonus: Always keep the human element in mind
These best practices will help you start thinking about your data security – but always remember that your security is only as strong as the people who have access to your data. Make data security training a regular part of your ongoing employee development, and keep up-to-date on current security threats.
Taking these steps now can help you prevent a security breach that could devastate your company’s reputation and finances. Give United Mail a call today to discuss your data security needs at 866-542-2107.
By Chase Kirkwood, President
