A Complete Guide To Data Protection And Confidentiality In The Workplace

Learn The Lessons Of Some Of The Most Secure Workplaces In The World

All businesses keep some form of personal information and data on file. Whether that is the payroll information for your employees or if that is information your customers have handed over to you.

No matter what type of personal information you store as a company it is your responsibility to look after it, keep it secure, and protect it from hackers. This is something that not enough businesses take seriously.

A security breach could result in your customers losing faith in your business or even worse – a seven or eight figure lawsuit. Investing in the right security system is simply a smart business choice that will benefit your business in the long and short term.

In this article, we are going to help you understand why data protection is so important and how you can put a security system in place.

What Is Data Protection?

“Data protection is the process of safeguarding important data from corruption, compromise or loss and providing the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable.” SNIA

Data is a catchall phrase that can cover anything from your bank account details to the type of ice cream you like. Every business will keep a different selection of data on their customers and employes.

Data protection is the name given to the different methods companies and individuals use to safely store this information so it cannot be accessed by anyone it doesn’t belong to.

Data protection can take many forms.

One of the best forms of data protection is to teach your employees how to use all your software properly and train them in online safety. For example, phishing is a common way that criminals try to steal data from big companies – anti-phishing training can drastically reduce the chances of this happening.

Data protection can also take the form of software that protects the company and the data it keeps from hackers and malware.

We will cover more methods of data protection later in this article.

What Is Data Confidentiality?

“Confidentiality has to do with the privacy of information, including authorizations to view, share, and use it. Information with low confidentiality concerns may be considered “public” or otherwise not threatening if exposed beyond its intended audience.

Information with high confidentiality concerns is considered secret and must be kept confidential to prevent identity theft, compromise of accounts and systems, legal or reputational damage, and other severe consequences.” UDEL

Your customers and your employees have a right to have their data protected and kept private if they want to. In some countries, it is a legal requirement unless you have express permission from the customer to share their personal information.

There are many different types of personal data ranging from public to highly confidential.

For example, your name and age might be considered public data as you have probably willingly shared it on your social media. Your address might be considered private or confidential. But your credit card details would be considered highly confidential.

As a business, it is your responsibility to have a fully functioning data protection system that keeps private and confidential information safe.

Why Is Data Protection Important?

Smart data protection is good business.

If your business allows your employees’ or customers’ personal data to be stolen then both you and them can end up in a lot of trouble.

There are three main consequences of data being stolen from your business:

• Identity Theft
• Data Selling
• Legal Action

If hackers get hold of any highly confidential information your company is holding then your customers and employees could be at risk of identity theft.

The right combination of details about someone – including their social security number, their address, and their date of birth – can give criminals the ability to steal your identity. They may even sell that identity to someone else.

Even if a hacker does not collect a large amount of highly confidential information, they may still sell on the information they get hold of. Many companies buy information about potential new customers.

Companies typically use this data to make more targeted advertising and to discover new potential customers. Even fairly public information can be sold. For example, if you live in an up and coming area, your address could be sold to a realtor who then might start bombarding you with adverts to try and get you to sell your home.

Finally, as a business, you should be aware that a customer or employee could take you to court if you lose their data. These cases can be huge. Home Depot has recently had to pay out $200 million after a data breach and Capital One paid out over $190 million for a single breach.

These cases will not take into account the amount of money you make as a company, as data breaches can cause a lot of damage to people’s lives. If you lost data and were taken to court – you could very easily be bankrupted.

This is why it is important for businesses of every size to invest in the right data protection tools.

How To Protect Your Data

Now that we know the dangers of data breaches, let’s look at what you can do to protect your network and the data you keep there.

Here is a beginner’s guide to data protection.

Create A Data Plan

Before you dive into trying to improve your system, it is important to sit down and take the time to plan all your chances in advance.

You want to make sure that you can make all of your changes at the same time if possible. You want to avoid leaving your system vulnerable for too long while you install your new security system.

Before you make any changes you will want to take stock of the type of data that your company keeps, what your current cybersecurity system is, and where you can improve.

This next section will help you to do that.

Know What Information Is Stored In Your System

Before you can protect the data your company stores, you need to know exactly what it is storing and where.

If you are keeping highly confidential information then you may be legally required to add higher levels of security. Most companies keep highly sensitive information in the form of their payroll data.

Does your company also have strong customer passwords? Their addresses? Their card details? Any identifying information like medical records or a social security number?

Where are these records being kept? How are they stored? Who has access to them?

Once you know the answers to these questions you can move on to the next step.

Only Keep What Is Needed For Your Business On Your System

Some laws around the world will restrict how long you can keep customers’ records and information for. However, it is in your best interest as a company to only keep any data that is absolutely necessary.

The less data you store, the less desirable a target you are to hackers, and the less likely you are to leak or lose any important information about your customers.

Do you need to keep 10 different data points on each of your customers? Is it necessary for your sales process? Can you streamline this?

Dispose Of Any Information That You No Longer Need Properly

Once you have gone through the information you are storing, learned where it is being kept, and exclaimed what data it is necessary for you to keep – it’s time to declutter your system.

As mentioned above, the less data you store in your system, the better off you will be if there is a breach.

We recommend that you go through the whole system and delete any data you don’t need or any data that you have had for a long time.

You can always archive the data in an encrypted database if you are worried about deleting important information.

Create An Emergency Plan To Help Deal With A Data Breach

Be prepared.

Don’t just assume that this will never happen to you. In 2020, 80% of businesses surveyed reported that someone had attempted to breach their network. While 90% of IT teams surveyed said that phishing and data theft was their top concern.

These attacks are not rare, in fact, they’re very, very common. Businesses of all sizes need to prepare.

Work with your cybersecurity provider and experts to put together an emergency protocol that can be enacted if an attack does happen. Have this protocol written down and easy to find.

Failing to plan, is planning to fail.

Keep Physical Copies When Needed

Data protection isn’t all about cybersecurity.

You need to make sure that you are protecting any physical copies of data that you are keeping on site. That being said, in some cases, keeping hard copies of data and physical backups can be preferable to digital options.

Physical data is a lot easier to protect because a thief would have to physically get into your building to steal it. You could make that more difficult by locking the data away in a filing cabinet or in a safe.

If your system is damaged, hacked, or wiped, having hard copies of your most important data can reduce the amount of fallout from a breach.

You should never leave data out in front of other customers or in view of employees who are not authorized to see it.

Physical copies of data are a lower cost option for smaller businesses who cannot afford a top of the line cybersecurity.

Invest In A Network Security System

“Network security can be made up of hardware devices, specialized software, physical security (i.e. locked computer rooms), and rules for people to follow. Just like securing your home, a network security system must protect against threats coming in from the outside and also deal with intruders if they make it inside.” STUDY

If any part of your business is done online then you must get a network security system.

One of the easiest ways for hackers to gain access to your business is through a poorly protected wifi network. This is why we are always told not to use a public network without a VPN – if you don’t set your network up correctly, your business wifi could be just as dangerous as a coffee shop network.

If this is not your area of expertise then it is well worth outsourcing the job. So, you can be assured that your network is protected.

Limit Who Can Access Your Wireless Connections

As well as getting a network security system, there are a few actions you can take to make sure that your network is better protected.

Start by identifying the hardware and servers that your most sensitive information is stored on, where possible, restrict access to these or introduce two-factor authentication.

Restrict access to your company network for employees who are working from home.

Only allow people who work for your company and have an approved user to have access to your wireless network. Do not share it with the public. Try to avoid sharing it with guests visiting your building. This includes contractors and potential customers.

Restrict the websites your employees can visit and put restrictions on what they can download.

Store your most information on databases that are not connected to the internet unless this will restrict your business.

Background Checks

When you are bringing on new employees, it is really important that you do a full range of background checks.

If you have data that hackers think is really valuable, they may try to infiltrate your company by posing as an employee. Before you hire someone, you must do a background check.

You should also be selective about the people that you let into your building. Whenever a contractor comes to visit, make sure that they have the correct identification on them and that the company gives you a warning they are coming to visit.

Create An Employee Data Confidentiality Agreement

As an employer, it is your responsibility to make sure that everyone who works for you is aware of how to safeguard data.

Everyone in the company, from the top to the bottom should receive training. This will make a data breach much less likely, and it will cover you legally if there is a link.

As a company, you should decide how you will approach data protection. You can do this by looking at the rules in your city, state, or country and by examining your company ethos.

Once you have this policy in place, you will want to make sure you have all your employees sign a Data Confidentiality Agreement. This means that your employees are aware of their responsibilities and have legally acknowledged them.

When your whole organization understands what is expected of them, they will be able to carry out your vision with greater ease.

Emphasize A Security Culture

As well as having an employee Data Confidentiality Agreement, you should try to make security a part of your company culture.

It is okay to express to your employees the danger of poor data security protocols. If you explain to them why they have to be careful when clicking email links then they are less likely to do it.

Try to make training part of the routine at your company, and reward your employees when things are going well. Try to avoid only using negative reinforcement.

Emphasize Company Policies

Make protecting employee and customer data an unavoidable part of working for your company and you will have an easier time preventing breaches.

You need to make sure that poor security practices or abuse of the system are a fireable offense. You do not want to have any weak links in your company’s security system. All it takes is one person to click on a dodgy link to open up your whole system to hackers.

If something does go wrong and you are taken to court, you want to be able to prove that you have done all you can to prevent attacks. You do not want the evidence to show that the person who fell victim to the phishing scam had been failing their cybersecurity tests repeatedly.

Keep Your Data Backed Up

You must back up all your data regularly. The more often you do this, the more you will be able to recover if there is an issue.

Early, we mentioned the benefits of making paper backups of some of your most important data. If your servers are wiped then having paper backups can be very useful – especially if the data is essential for your business to function.

Big businesses will have multiple backups stored in different locations. If you are a small business, then this might not be an option for you.

However, you may be able to store the data in one or two off-site locations. If you are going to do this then you need to make sure that the networks in these other locations are adequately protected.

You will also want to make sure that you are fairly secretive about where these other sites are. You do not want them to also get breached.

Data Retention

Next, you will want to think about how long you are going to keep the data for.

There are some rules around the world that limit how long you can keep some kinds of data. This is something you should be aware of if your company works in multiple countries. The fines for incorrectly storing can be quite hefty, particularly in Europe.

Make a list of all the different types of data you store, and decide how long you want to keep that category in your system.

For example, you may need to keep data on what you are selling and to whom until the end of the tax year. But there is no need to keep this data for two or more years.

Alternatively, if you were a medical company, you may find that keeping medical records on file for multiple years saves everyone a lot of time and will allow you to get a better understanding of the patient.

Consider Encrypting Your Data

Finally, you should consider encrypting all of your most important data.

It may make accessing the data a little inconvenient, but it will be well worth it if the hackers get hold of it and can’t unlock the necklace. Or, the extra layer of security might be enough to put some hackers off.

However, there is no point in encrypting data that your company uses multiple times a day. You should consider having your backups encrypted.

How To Avoid A Data Breach

Before we leave you, here are six things you can do to reduce the chance of there being a data breach at your company.

Invest In A Intrusion Detection System

Investing in a proper cybersecurity system is a must for a business of any size. You know this already, having read the rest of this article. It is not worth risking the consequences of not being adequately protected from a cyberattack.

We recommend that you invest in two different types of systems.

Firstly, you should look into a comprehensive cybersecurity training system. One that will allow you to run interactive security campaigns.

For example, you can get phishing training software that will send fake (but realistic) phishing emails to your employees. It will track who in your company failed the test and offer them further training.

These phishing systems will also allow your employees to report real phishing attempts and will help you to catch attacks before they happen.

Secondly, you should invest in a cybersecurity system that includes firewalls, network security, multiple layers of encryption, and any other cybersecurity tools your business needs. The bigger your business, the more protection you will need.

Small businesses may be hesitant to invest in cybersecurity, but it is much cheaper than having to pay compensation to anyone whose data you have lost. Remember that $200 million settlement Home Depot had to make.

Keep Your Detection System Updated

One of the best things anyone can do for their cybersecurity is to keep their software and hardware up to date.

Every time developers spot a weakness in their software’s security, they work out how to fix it and then put out a patch. The longer you put off updating your software, the more time the hackers will have to exploit the weakness in the system.

Your whole company can benefit from having reminders sent out whenever they need to update any of their software.

You should also make sure that the company is keeping its security systems as up to date as possible.

Maintain Central Log Files

The more data you have the easier you will find to maintain your cybersecurity system.

Taking action to maintain your central log files and to keep logs of all minority activity related to security will pay off in the long run. Keeping track of all this data will allow you to spot changes, danger, and intruders more quickly.

Without this information, you won’t be able to notice when changes happen. You will also struggle to track any attempted attacks. And if you can’t do that, you won’t be able to make any meaningful changes or upgrades to your system.

Monitor Incoming Traffic

Again, we recommend that you collect data from as many different points in your system as you can.

Another important data set to collect is incoming traffic.

Key things you should be looking out for are spikes in traffic, unexpected creation of new users, multiple log-in attempts, and traffic during unusual times of the day (or night). You should also be on the lookout for people trying to log in from unexpected locations or from unknown IP addresses.

You should be looking for a security system that allows you to track all of this, and preferably one that shuts down access when unusual activity occurs.

Monitor Any Unauthorized Users

We also recommend that you keep a close eye on the accounts that are being made on your system and who has access to what.

As well as tracking incoming traffic, you should also be aware of the outgoing traffic on your network. Is someone inside your network sending data to an unknown or unauthorized user based outside the network? This could be a sign that your network has been infiltrated.

A good security system will pick up on this and shut it down.

You should have restrictions on who in your network can create new users and accounts. This will prevent hackers from being able to build themselves into your network.

Stay Informed

Our final piece of advice is to stay informed.

One of the most frustrating things about cybersecurity is that it is a constantly evolving field. It is important for businesses to stay ahead of hackers. Some days, this can feel like a never-ending task.

The good news is that there are many cybersecurity experts out there who work tirelessly to keep ahead of the people who want to attack our security systems. They share this information with the security systems manufacturers, who in turn, update their software to prevent attacks.

So, you don’t have to worry about doing all of the research in-house. However, it is important for whoever is manning your cybersecurity to stay as up to date as possible. Many of the big tech websites and news sources are great places to do your research.

It will be well worth the effort to stay caught up with the developments in the industry, as you don’t want to get caught out. This will lead to nasty consequences for your business and your customers.

The combination of these six actions will make it a lot less likely that your business will fall victim to cyberattacks and data breaches.

Summary

Every company keeps data. Whether it is on their employees, their companies, or both. It is the company’s responsibility to protect this data from others.

Data can and is sold online. Therefore many hackers will try to steal data from companies with poor security in order to sell it to the highest bidder.

There are many different ways a company can protect its data, but everyone should be aware that it is not just the IT department that is responsible for this. Any email account in the company could give hackers the access they are looking for.

In the article above, you will find a guide to setting up a comprehensive data protection system that will help to protect your company and your customers.