Protecting sensitive data has never been more of a challenge, and with the EU’s passage of its monumental General Data Protection Regulation (GDPR) and similar measures in California and elsewhere, the stakes have never been higher.
Companies that fail to protect the personal data of their employees can face crippling fines. But even with the highest levels of encryption and careful attention to all security vulnerabilities, it is impossible to create an airtight wall around all of your company’s data.
That’s because the biggest threat to security may not be the hacker clawing away at your defenses while you fight to keep him at bay. It may be someone far less suspicious – like the person in your HR department who accidentally leaves a spreadsheet open on his computer or sends sensitive information through email or some other channel that is far less secure than your own system.
These kinds of mistakes can happen any time. A number of start-ups looking to disrupt payroll and payments are building solutions to these issues by reducing manual processing and pushing these industries to automation, where human error is naturally limited.
There are also steps your company can implement immediately to reduce exposure to error even more. The following tips can neutralize the biggest threat of all – the average human being working at your company.
1. Install Access Permissions
The fewer people with access to data, the lower the chances of data being left exposed inadvertently. It’s really that simple. Controlling the flow of data starts with restricting the ability for people to reach it unless they have a good reason. Those who have to work with the data need access. Beyond that, any potential channels through other people’s computers are potential vulnerabilities. Even if the members of your workforce would never even think of access data they don’t need, their ability to do so could create a point of entry for a skilled cyber-criminal.
Today, it’s simple to install access permissions to encrypted data. Those systems typically allow administrators to choose who can reach different sections within the restricted area. Deciding who has what access can often be tricky – some people need some access some of the time – though special permission can also be granted in outlier cases. Start with the lowest possible number, and work up as needed.
2. Reduce the number of Passwords
No matter how much effort you put into creating passwords that are virtually untouchable by hackers, you are never as safe as when you bypass the need for passwords altogether. Today, there are effective ways to keep passwords to a minimum, such as the Single Sign-On (SSO) option. That allows you to sign into your account without entering a password. Instead, the system takes your information from a trusted account such as LinkedIn or Google.
With SSO, your computer system no longer needs to store passwords in its system, eliminating one potential target from a cyber-criminal. Many websites already use a similar system for verifying your identification, allowing users to enter their accounts using their Google or Facebook accounts. Users like it because it saves time and eliminates the need to remember passwords and fill them in. By reducing the number of passwords in operation, it helps with data security as well.
3. Make Sure All Updates Are Installed
Online security is typically a war between the good guys trying to keep your data safe by building a fortress around it, and the bad guys who are busy scanning the outer walls for signs of weakness. When a breach is discovered, it typically reported and software companies rush to create a patch to close the breach. But unless the patch is downloaded and installed by every member of your team, your computer network remains vulnerable to a known weakness.
In many companies, employees tend to be slow to install updates on their computers. An update on windows, for example, takes time and prevents the worker from using the computer while the update installs. So many people wait for a convenient time – one which never actually arrives. Making sure all staff members realize that updates are necessary for strong security can help close a potential vulnerability in the shortest span of time.
4. Avoid Sending Data by Email
A key element of GDPR compliance is the need to use secure channels for sending data that contains any personal information about employees. While the regulation formally applies only to EU citizens or companies doing business in the EU, it’s still smart to follow the directive for the sake of data safety.
In practice, that means avoiding channels such as email, which is vulnerable in numerous ways. One typical ploy by hackers is the “spoof” message, which looks exactly like a Gmail page and contains either malicious programs or requests for information. When the unsuspecting recipient opens the message, believing it’s from a trusted source, he may follow the instructions by clicking a link or sending private information. This is particularly effective around tax time when people typically have long email exchanges with accountants. Avoid the risk by setting a rule that no sensitive data can be sent through email.
5. Keep Sensitive Data Off of USB Drives
The advent of the USB drive small enough to carry on a keychain has proved popular for people who make presentations at conferences, usually using hardware provided by the organizers. These small drives can hold a great deal of information, and it’s tempting for employees to use them to store data. However, they are notoriously easy to lose or for the information they hold to be copied onto the hard drive of a computer.
Keeping data safe means thinking ahead and finding the potential breach before it happens. That means keeping information contained as much as possible. USB drives are convenient but vulnerable, just like email, and passwords. Reducing the reliance on those, which limiting the number of people at your company who have access to sensitive information can bring the level of data security up all by themselves. Adding strong encryption and staying active in the fight against hackers can help you stay compliant as and as safe as possible.