In today’s world, most consumers are aware that enjoying the convenience of a digital lifestyle involves sharing some of their personal information — sometimes by allowing cookies and other tracking technology, and sometimes by filling out online forms.
With that awareness, though, comes the expectation that companies will keep their personal information private and secure. This has become even more important as missteps from major companies have shown just how easy it can be for personal data to become public.
Yahoo’s 2013 breach, which affected all of the company’s 3 billion accounts, might be one of the most notorious examples. But repeated breaches like these are hardly a thing of the past. Just last month, amid panic about the coronavirus pandemic, Marriott confirmed a data breach that affected 5.2 million guests. What’s worse, it was the hotel chain’s second (preventable) breach in three years.
Despite all this, many companies are still not properly incorporating security into their data management strategies. Even companies that believe they’re keeping customer data secure often overlook simple vulnerabilities that could become massive headaches if left unaddressed. If companies want to be serious about data security, it’s time they adjust their approach.
Adequate data security requires better data management defense
There are two main types of data management strategies: offensive and defensive. Offensive strategies are customer-centric activities, such as sales and marketing. They are built to increase revenue and satisfy customers.
Defensive data management, on the other hand, focuses on security and regulation compliance. The broad goals of a defensive management strategy are to protect consumer information and prevent fraud.
While defensive data management might not seem as glamorous — and its impact on the bottom line not always as straightforward — it’s equally essential to a company’s success. In 2017, for instance, the cost of fraud was a whopping $16.8 billion.
Every time someone’s identity is stolen or personal data is leaked and used for malicious reasons, companies generally have to bear the cost. That’s why it’s so important to look at defensive data management as an equal and intertwining branch of offensive data management. Without a solid defensive strategy, you’re taking huge risks that might negate even the best offensive strategy.
What happens when data security management isn’t up to snuff
Poor data security can cost more than just the money it takes to repair the initial damage from a breach. For one, it can do significant damage to your reputation: There’s the immediate loss of trust between company and consumer, of course, but there is also lingering damage to relationships with business partners who might think twice before dealing with a company that doesn’t always secure data.
There’s also the potential for damage to your brand if corporate communications are leaked. Sony offers a perfect example of how badly things can go when private emails suddenly become public. Reputations are ruined, and spilled trade secrets and juicy gossip dominate the news cycle.
Your reputation isn’t the only thing you need to worry about, by any means. Many hackers target proprietary information, such as designs and blueprints. These are the sort of leaks that can never be cleaned up satisfactorily. While not every rival will take advantage of your intellectual property, some have no scruples — and that can cause lasting damage.
On top of this heap of risks, you also must contend with the legal repercussions of a breach. A variety of regulations tie serious consequences to poor data security. HIPAA is perhaps the most strict, dictating security and privacy standards for the healthcare industry as well as hefty fines for violations. But that doesn’t mean other industries are in the clear.
In the United States, the Sarbanes-Oxley Act (better known as SOX) regulates accounting and financial reporting to ensure the integrity of financial data. And in the European Union, GDPR requires companies to follow seven principles:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality.
Companies that violate these principles could face a hefty price of up to 4% of their global revenue. Many companies might not realize they’re violating these regulations until it’s too late, which is why now is the time for companies to examine and strengthen their security strategies before disaster strikes.
Common security oversights and how to fix them
Reassessing your data strategy is always a good idea, even if you think it’s already up to snuff. Here is a brief overview of four of the most commonly overlooked security risks (and some tips for fixing them):
1. Lack of encryption
Many companies mistakenly assume the only purpose of data security is to protect information from unauthorized access. At best, they focus on building a fortress to protect their systems from hackers — but they leave the data itself unchanged. Even the best defenses have weak spots. What happens when the wrong people exploit those weaknesses? They gain access to a treasure trove.
The right kind of encryption, however, has the power to turn that treasure trove into fool’s gold in the hands of a hacker. If your data is secured with something like RSA encryption, then any information a bad actor manages to access is virtually indecipherable without access to the keys. By encrypting your data, you can turn a major breach into a minor incident and reassure those affected that their data is still safe.
When encrypting, it’s essential to not only protect the data you store on your servers but also to secure the information that’s being sent and received. Data transmission represents one of the most common weak points for businesses. In the Internet of Things, for instance, 91% of transactions are unencrypted. This may be a blind spot for companies, but it’s definitely not for hackers. Make sure you’re encrypting your data every step of the way.
2. Too much access
While your employees must have access to the information they need without jumping through too many hoops, many companies err on the side of convenience when it comes to authorization. At best, businesses are giving out way too many unnecessary user accounts. At worst, they’re not putting any limits or regulations on who has access to what information.
This might seem harmless — you trust your employees, after all — but it opens up your information to all sorts of risks. Human error is the leading cause of data breaches. The more people who have access to your data, the more likely you are to face a breach.
Cut down permissions to only those who absolutely need the information. Create role-based user accounts rather than relying on a one-size-fits-all approach. This strategy will ensure your employees can get the data they need without access to anything they don’t.
3. Zombie accounts
It’s not just access among current employees that you need to worry about; you should also be mindful of access among former employees. It doesn’t matter whether previous employees quit, retired, or were fired — there’s zero reason they should be able to enter your network or view any proprietary data once they are no longer part of your company.
Get rid of any accounts tied to former employees, and enact a policy that immediately revokes access when an individual leaves the company. Make sure you have multifactor authentication set up to ensure employees need more than just a password to log in. That way, you can ensure former employees aren’t able to gain access through a colleague’s password.
4. Poor security SOP
Setting up standard operating procedures (SOP) for security should be considered an essential part of a company’s code of conduct. Not only should you draw up a plan for best practices, but you should also make sure your employees know how to implement every one of them. Provide training and perform regular check-ins to make sure that everyone is safeguarding sensitive data. After all, it only takes one employee to create a breach.
Security best practices shouldn’t stop with your employees, either. Regularly assess and adjust your policies regarding data collection, handling, and disposal. While it may seem like a good practice to gather as much customer data as possible, that just saddles you with more liability should things go wrong.
When looking at your form builder, for instance, ask yourself what information your application forms and feedback forms absolutely require. Rewrite the rules as much as necessary to keep everything safe. Just make sure everyone knows and understands those new rules.
To ensure that both company and customer data is secure, it’s imperative to integrate security management into your overall data management strategy. By following best practices, reassessing the information you collect regularly, and making sure employees maintain good data hygiene, you can ensure your data remains safe — and your customers remain happy.