5 Essential Elements of a Data Protection Plan

Imagine the effect on your business if a data breach resulted in unauthorized access, destruction, or theft of your customers’ data.

This post is part of a series designed to help Zenefits customers and other small / medium-sized businesses keep their company secure and ready to do business. This post helps businesses develop a robust approach to protecting their company data. It’s all part of our mission to tilt the advantage to small and medium businesses to help them succeed, and to provide a valuable service to companies without their own security expertise. This is one way we are #InitTogether, advocating for our customers.

In 2006, Clive Humby, the British mathematician, came up with the phrase “data is the new oil.” Small and medium-sized business owners know just how accurate this saying is. Data is pivotal to managing, rapidly growing, and achieving success with your business.

Think of it: Every function of your business relies on data. Employee information, customer preferences, sales forecasts, supplier orders, accounts payable, and accounts receivable are leveraged on a daily basis. There’s other data, too: your company website, trade secrets, patents, leases, equipment maintenance records, marketing materials. And the list continues, imagine the effect it would have on your business if a data breach resulted in unauthorized access, destruction, or theft of your customers’ data.

And if you think data breaches happen mostly to large companies, consider this: according to the 2019 Verizon Data Breach Investigations Report (DBIR), 43% of data breaches involved small business victims. According to the StaySafeOnline website, a new survey from the National Cyber Security Alliance (NCSA) found that an overwhelming majority of small businesses believe that they are a target of cybercriminals. These trends highlight the growing awareness among small businesses about the threat of a cyberattack.

The impact of a data breach can be substantial, including legal exposure, loss of customer confidence in your business, and substantial financial loss. You can avoid becoming a victim (and keep your customers safe) by taking some straightforward steps to protect your data. After you’ve read our first post in this series and create a data inventory, consider these next steps:

  1. Decide Who Can Access Data 

An essential & early step in protecting your company data is to closely manage who has access. Think of this as the “Triple A” approach to data protection: Authentication, Authorization and Audit.

Authentication: Users need to prove their identity before accessing systems or records. Typically, authentication is accomplished with a password, but some systems may use other technologies as well, such as a token code, access card, fingerprint, or facial recognition. A critical property of authentication is the ability to trace actions back to an individual person.

Authorization: While authentication proves your identity; authorization specifies what you can do with that system & the records held within. Authorization is all about the roles or permissions a user has: Are they an administrator? Do they have the ability to edit data? Do they have the ability to delete data? Are they able to copy or export the entire database?  Authorization methods are typically used to limit access to the minimum permissions needed to complete the worker’s daily job.

Audit: When your employees access a record or download a file, you want to keep a record. Most modern record management & business systems will do this for you automatically.  This is not only helpful to track the usage of your data, but also to help you keep tabs on where your data is coming from and moving to. A strong audit system goes beyond holding people accountable for making changes, adding or deleting  records, or making other modifications – it can give you valuable intelligence on the most frequently used (and thus most impactful/valuable) data sets.

  1. Get Employees Involved – They Play a Critical Role in Access Control

Employees can and should participate in access control by understanding who’s responsible for keeping access permissions appropriate and correct. Access should align to the workers that have a business need to use the data.  When considering assignments for data owners, align ownership to the impact of data loss/corruption (i.e. the staff member with the most impact from missing or bad data may be the best owner for that data). Employees can also help limit access when they understand the objective of access controls and are involved in the process to maintain those controls. Make sure employees know who to tell if they identify over-permissioned access, inappropriate use of data, or another issue which may impact your business.

  1. Regularly Back Up Your Data and Stay Consistent 

Many companies are unsure about how frequently they should back up key data. The answer can be quite simple. Ask yourself: if you lose one hour of data, how will that impact your business?  What about one day or one week worth of data?

To make this job easier, automate backups and store them in a location separate from your primary data. Don’t rely on remembering to do it. Keep several recent backups in case you find an issue or missing data after you perform your next backup.

Use a backup mechanism that will still be accessible if your primary storage is impacted (e.g. your backup must be available and usable if you need a new computer/office). Plan ahead and take steps to prevent abuse. For example, what do you do if an employee (mistakenly or intentionally) destroys the backup?

  1. Keep Your Software Updated

Because online threats are constantly changing, it’s essential to keep your software and security protections up to date. Adjusting your software to auto-update means you can set it and forget it. Most modern operating systems and applications provide this capability and can update when you’re not using the system. And while you’re at it, don’t forget to update mobile phones, tablets and their apps.  Make the time to reboot your system or reload your browser when prompted to apply the updates.

Keeping your business secure and your customers’ data safe is a team effort that doesn’t end.  These tips (and our earlier post in this series on Data Identification and Data Inventory) will help you get started and plan your approach. As you work through your data protection plan, keep in mind what is most impactful (and important) to your business. That’s the starting point. It can also be helpful to consider the expectations your customers have (and any regulations that apply to your business) for how you prioritize your data protection efforts.

Use Stay Safe Online as a resource for additional information, and watch our blog for additional posts in this series.