Data Security Best Practices

Computer data

By Lisa Elkins, Security Officer at National Record Retrieval

 

Law Firms and Vendors all have a lot of Personal Health Information, and it is very important that we are doing everything possible to protect it.  Cyber security, data breaches, phishing, and ransomware are all hot topics lately. With the rise of the Internet of Things, billions of people all over the world are using countless devices to connect data, information, and knowledge. Those devices and connections may not always be secure though. Here is some background and basic steps to help keep arguably the most valuable resource available protected.

Data and Information

Think of data like a building block. Each block is a piece of data. A block on its own may not be much, but when you stack enough blocks together, you can make a model of anything. That model represents information. Data, such as a first name, is not necessarily useful by itself but stacked together with a last name and address it become profitable. Sometimes it can take thousands of blocks to make a set worth selling, but those block sets can be extremely valuable. Be vigilant about where data is stored, how long it is stored, and who has access to it to prevent a buildup of information worth selling.

Data Breaches

Data breaches, the unauthorized access of data, have been steadily rising since 2005. Breaches could include malware attacks, like ransomware or replying to phishing emails, or theft of computers, drives, or paperwork. Breaches come in all shapes and sizes. From leaving sensitive records in public dumpsters to unknowingly buying a company that fraudulently sold data, the potential for a data breach lives on a wide spectrum.

Security Basics

Whether using paper, digital, or a hybrid of both to do business, security should always be a major consideration in the use and storage of data. The following steps can help reduce unnecessary risks:

Perform a Risk Analysis – Identify what data currently exists and what potential risks there are to that data. Some basic questions to ask would be:

  • Are there paper records stored in the office?
  • Are there external hard drives, USBs, or CDs?
  • Are these items stored in a locked or restricted area, or are they out where anyone could access them?
  • Do all computers have antivirus software installed?
  • Are computers and web browsers kept up to date?
  • Do employees know how to spot a phishing email and what to do with it?
  • Are employees required to have unique, individual usernames and passwords to access computers, websites, and email accounts?

There may be more that the business needs to do to address potential risks, so plan to make lists of owned data and known risks and revisit them often to evaluate all security measures.

Create and Implement Security Policies – It may seem like common sense not to share usernames and passwords, but without a written policy it becomes difficult to track and enforce the business’s security efforts. Policies and procedures do not need to be long or complicated, but they do need to be communicated to employees. A simple list of ‘dos and don’ts’ along with contacts for technical support or IT vendors is a great start. It also ensures that employees are aware that standards exist, and that security is part of the company culture.

Train Employees – There are many resources available to improve awareness about data security. Online safety is a major concern many businesses face, especially regarding email use. Train all employees on how to identify potentially malicious emails and websites. Also, make sure employees know why it is necessary to limit access to data within the business. Getting employee buy in will make the transition to securing data easier. Establish a system so that employees who need more access have it, while those who do not do not. This can be done simply for physical items with locked cabinets and limited keys given to specific employees. Access to information digitally can be limited by granting or denying access to certain shared drives or folders and by enforcing username, password, and workstation policies. Even in small businesses, not everyone needs access to everything all the time. Requiring an employee to ask permission to use certain data could be the difference between catching a bad actor (employee causing security issues) and allowing a data breach.

Create and Implement a Data Retention Schedule – Data is a necessary part of any business, but there is such a thing as too much data. Destroying data that is no longer needed and not statutorily banned from destruction is beneficial for security and legal reasons, as all available data can be subpoenaed during litigation. Data that is no longer needed for active business activities should be archived. Storing active and inactive data separately helps reduce the risks of data getting lost or taken. Archived data should be kept under the highest security area available to discourage bad actors or cyber threats from gaining access. Archived data should only be kept as long as it has a potential to be useful or as long as statutorily necessary. Many state and federal statutes vary, but the most stringent statute for the type of data affected should be used to create the retention schedule. Physical data should be manually destroyed according to the retention schedule by at least two employees or by a trusted vendor. Digitally stored data can have the retention schedule automatically applied by an IT vendor or by using software. Below are acceptable methods for destroying various types of data:

  • Paper and CDs can be burned, shredded, pulverized, or pulped
  • USBs and hard drives can be degaussed, shredded, or crushed
  • Electronic files can be overwritten or encrypted using different software/hardware prior to being deleted

Monitor Security Efforts – This is not a once and done exercise. Training and policy evaluations should be performed at least annually. As new risks become evident, or as new employees are hired, reevaluate the current policies and tools to make sure they are working as intended in the business. There is no harm in adjusting employee access to data up or down to accommodate changes in job duties or staffing needs in different parts of the business. Those adjustments should simply be monitored and revoked when no longer needed.