Data Security Plan: 10 Data Protection Best Practices You Can’t Ignore
The most important New Year’s resolution an organisation can make is to implement a comprehensive information security plan.
According to the 2015 Global Cybersecurity Status Report, only 38% of global organisations feel prepared for a sophisticated cyber attack.
But any data breach can lead to financial and other consequences with lost business topping the list.
The 2016 Cost of Data Breach Study showed that in the UK, the average total cost of a data breach increased from £2.37 million in 2015 to £2.53 million in 2016 with each breached record costing £102.
Here are 10 best practices that need to be part of a data security plan:
- Regular security risk assessment: Knowing where your organisation may be vulnerable will also reveal how to mitigate risks.
- Leadership: Appoint a Chief Information Security Officer (CISO) or other executive to oversee security risks and solutions as well as educating and leading the organisation in data protection best practices.
- Culture of security: Make protecting confidential information a company-wide commitment. As part of a culture of security, employees should understand the importance of data security and know what the right decisions are to protect information.
- Ongoing employee training: The 2016 Shred-it State of the Industry Report concluded that employee training is one of the most important strategies today to protect an organisation’s confidential information. But only 46% of surveyed companies in a recent study by Experian and Ponemon make training mandatory for all employees.
- Mobile security policy: Another report found that 67% of surveyed organisations had experienced a data breach as a result of employees using their mobile devices to access the company's confidential information. Best practices include using secure networks (not public WiFi) and not leaving hardware or any confidential materials in vehicles, hotels, etc.
- IT safeguards: Equip all hard drives with the most up-to-date IT system tools to detect and reduce the risk of security vulnerabilities.This includes anti-virus software, encryption, and other endpoint security tools.
- Compliance: Keeping up with the changing regulatory landscape was one of the top five compliance trends in 2016 identified by Thomson Reuters. More than one third of organisations surveyed spend at least an entire day per week tracking regulatory changes.
- Third-party suppliers: The PwC Global State of Information Security Survey 2017 showed that 21% of security incidents originate from suppliers and business partners, up 11% from last year. Have a process in place that evaluates the information security processes and commitment of third-party suppliers.
- Embedded security: Help direct employee behaviour with secure workplace processes and policies. A Clean Desk Policy, for example, directs employees to keep work areas clear of confidential information. A Shred-it All Policy specifies that all documents are destroyed when no longer needed. Replace open recycling bins with locked consoles. Have physical safeguards too, like customer sign-in.
- Document destruction procedures: Partner with a recognised document shredding company that has a secure chain of custody for the secure destruction of both paper and digital documents. There should be secure on- or off-site shredding of paper documents, and there should be a process for destruction of electronic media and hard drives.
Learn how a document management policy systematically protects information from creation to disposal with this free document management guide.