Your reputation is everything. Clients and customers give you their business because they trust you to deliver. Employees come work for you because they trust you to treat them respectfully and compensate them fairly, but also because they trust you to keep them safe. Overnight, a single data security breach can change everything.
In the digital age, the people who work with you must also be able to trust you to protect their personally identifiable information (PII). Cybercriminals are always trying to access PII for financial gain. It’s the employer’s job to keep them out.
Why Protecting Your Data Security Matters
Across all industries, protecting PII has to be a top priority for every business. A single serious data breach can have devastating financial, legal and social consequences.
Financial: Researchers at Ponemon Institute each year analyze recent data breaches to calculate the average cost incurred by an organization that experiences such a breach. For 2020, the average cost of a breach for American companies is a staggering $8.64 million. (The global average for 2020 is just $3.86 million.) Records containing customer PII are the most expensive to lose; according to the report, in 2020 a breach that exposes PII will cost an organization an average of $150 per compromised record. The actual cost of a breach varies widely by industry and is determined by a number of factors.
Legal: There’s currently no federal law governing data security practices, but at least 25 states have their own data security laws on the books. Many of these statewide data security laws are set up to protect the states’ residents, not just the businesses that operate within the state. For example, in Massachusetts, regulation 201 CMR 17 sets standards for anyone who owns or licenses a resident’s first name/initial and last name in combination with their Social Security number, license/ID number or financial account information. Any organization that has records containing this kind of information about a Massachusetts resident is legally required to safeguard it and protect it from threats. Even if your business operates in a state without data security laws, you should be diligent about data security if you have any out-of-state customers.
Also, while there’s no overarching federal data security law, all states and U.S. territories have passed legislation about breach notification. This means that, if you experience a data breach, you may be legally required to notify anyone whose PII could have been exposed.
Social: While the financial and legal risks of a data breach are significant, the damage to your reputation could be irreversible. Because of notification laws, it’s rare for a business to be able to keep news of a breach private. Even if the nature of your breach doesn’t meet the state’s notification law threshold, the word could spread via social media or even through local news outlets. If you heard someone you work with had exposed PII, wouldn’t you be cautious about trusting them with your information going forward?
Data Security Best Practices
Every business is unique, but these are some of the data security best practices that make sense for most organizations.
- Make sure you know what kind of data you have. If you’re going to protect all your data, you have to know what and where it is. Some companies undertake a data security risk assessment for this purpose. Think of it as the data security version of a home inspection: a full-picture look at the current state of your data and its associated risks.
- Create and enforce a data security policy. All businesses that handle data of any kind should have one. A data security policy is essentially a document that states an organization’s commitment to protecting data security and summarizes the policies that its employees are expected to follow. For example, what security measures are required for remote workers? What kind of data are employees allowed to share with people outside the company, and what kind of data should only be shared within the company via secure network? What protections are in place around payroll security?
- Adopt strict data destruction policies. Don’t be so focused on keeping out hackers that you forget about the real physical risks to your data. One distracted employee tossing paper payroll files containing employee PII in the trash could cause a breach, if someone comes along after them and realizes the value of that information. Use a data destruction company to destroy all physical files and anything with a memory (devices, thumb drives, CDs, employee badges, etc). Be sure to address data destruction policies for remote workers.
- Set high standards for passwords. Require employees to use complex passwords. Establish mandatory reset periods so employees can’t use the same passwords for months and months. Consider using two-factor authentication to protect files containing PII, limiting who can access this information. (Your password and data destruction policies may be part of your data security policy.)
- Consider data loss prevention software. One of the reasons many breaches are so expensive is that they’re undiscovered for months, giving thieves plenty of time to wreak havoc. For smaller businesses with minimal IT support, data loss prevention software can be helpful for identifying security issues right when they start.
- Train and regularly retrain employees on data security. Human error is a top cause of data breaches, and anyone within your organization could be a culprit. Data security training can help everyone identify privacy issues. For example, phishing emails are a major security weakness, so you may want to do phishing awareness training for new employees and on a recurring basis for all employees.
- Have a data breach response plan. Breaches can happen even in businesses that have followed all data security best practices. Having a data breach response plan allows you to mobilize quickly if the unexpected happens.
With data security, an ounce of prevention is worth a pound of cure. Keeping your business’s data safe is always easier than cleaning up the aftermath of a breach, or trying to regain the trust of your employees and customers. Using secure tools to protect PII is a way of protecting your business’s future.