Part 2: Cyber Security Awareness Month Series
Your biggest data security risk isn’t hostile outsiders — it’s negligent insiders. Most insider threats in cyber security come from a lack of clear policies and consistent training. In Part 1 of our Cyber Security Awareness Series, we discussed the damage breaches can do to your company and your reputation. In part 2, we explain what policies your company should have to keep your private information private.
Secure Business Data Policies Every Company Should Have:
Basic Business Data Security Policies
Strong passwords are the most important defense your company has. Your policy should require passwords to:
- Be 12 characters or longer
- Use uppercase and lowercase letters, numbers and symbols
- Avoid easily-guessed patterns, like the word “password” or the user’s birthday
- Be changed at least once every 90 days
Your policies should also instruct users to report any potential enterprise data security breach — even if it seems minor. An on-call admin should immediately investigate incidents, and secure business data and user accounts as necessary.
Policies to Categorize and Secure Business Data
Organizations need to identify, segregate and protect confidential or sensitive data. Your organization’s needs and industry compliance rules will largely determine what counts as secure business data, but there are some commonalities.
Personally Identifiable Information (PII) is regulated across industries. Details about customers and workers such as name, address and Social Security number should generally be treated as confidential. Your company should also have policies to secure business data involving trade secrets, or sensitive conversations such as performance reviews.
With PII, context is everything. For example, an administrator telling employees “John isn’t coming in tomorrow” is perfectly acceptable, but an HR manager telling that admin, “John is undergoing a knee replacement tomorrow” is sharing protected health information under HIPAA. To secure business data, HR staff and other workers needs to understand where to draw the line.
Corporate Data Security Training
Good policies alone won’t secure business data. You need to create a culture of cyber security awareness, where employees work together to protect shared information.
Frequent training is crucial, from the CEO down. Ideally, organizations should foster a collaborative process where everyone can discuss corporate security on an equal footing. Higher ranking workers have access to more secure business data, which means they can cause more harm if they screw up. Your IT Security initiative will only succeed if they’re willing to lead by example.
Learning to Secure Business Data is a Process
Good data security policies are a start, but your organization also needs to adopt the right tools and technical controls. You can also use these resources to boost your cyber security awareness:
- Online Privacy Tips from 4 Security Experts
- Keeping Your Private Information Private Doesn’t Need to be Hard
- What is the Best Secure Email Service
- Journey of an Unencrypted Email
- HR, HIPAA and Email: Requirements for Employee Health Data
Stay tuned for Part 3 of our Cyber Security Awareness Month Series, when we’ll share indispensable tools and tricks to keep business data secure.