It’s 2020: Do You Know Where Your Data Is?

The days when a company’s most sensitive and essential data could be stored in a few file cabinets at headquarters are long gone.

This post is one in a series designed to help Zenefits customers and other small and medium-sized businesses keep their company secure and ready to do business. It emphasizes the importance of understanding where critical data exists within the company and provides guidance for creating and maintaining a data inventory. It’s all part of our mission to tilt the advantage to small and medium businesses to help them succeed, and to provide a valuable service to companies without their own security expertise. This is one way we are #InitTogether, advocating for our customers.

The days when a company’s most sensitive and essential data could be stored in a few file cabinets at headquarters are long gone. Today, even small companies manage more—and more disparate—data than ever before: employee records, sales data, customer orders, supplier inventories, accounts payable, accounts receivable. This kind of data isn’t kept in manila file folders. Most of it is digital, which can make tracking a daily challenge.

Yet, it has never been more important to be able to do just that. By some estimates, more than 40% of companies don’t know where their data is stored. And 65% of companies collect so much data that they’re unable to categorize or analyze it. A company’s inability to locate some of its most critical assets is a big problem for security—if an attacker should gain access to an unprotected asset and disclose a company’s sensitive data, it could be devastating for the company’s reputation, not to mention the potential financial costs of a breach. Data breaches don’t just happen to large companies. According to the 2019 Verizon Data Breach Investigations Report (DBIR), 43% of breaches involved small business victims. We hope we can drive that percentage down by providing awareness and practical steps small businesses can take to secure their data.

It all starts by understanding where critical data exists and ensuring that it is secure and available. After all, you can’t truly control your data if you don’t have a handle on where it is located. That’s why you need a data inventory.

Determine Which Data is Most Critical to Your Business

When creating a data inventory, start by including the data that is most critical to your business. Think about the data that you use every day—the data it would be difficult or impossible to operate your business without. Depending on the nature of your business, your critical data could be information about your customers and their preferences. It could be information about upcoming orders. It could be information about your employees and their work schedules. Or about your suppliers—which supplies are on their way? What do you need to be ready to receive? You also need to consider the value of your data to someone outside of your company. For example, information about your employees—such as their social security and ID numbers—is valuable on the black market where it can be used for identity theft or other types of fraud.

Make Sure Your Critical Data is Both Secure and Available

Of course, you keep backups of critical data. Think: are you able to access that backup if an emergency or natural disaster makes it impossible to access your office? For small businesses, cloud providers are typically best positioned to appropriately secure data. Cloud storage is one good way to have data that’s both secure and available. Make sure to include where your data backups are stored as part of your data inventory. And consider who has access to the data, from key employees to business partners—once they have access to your data, how do they protect access to it? Leverage the cloud provider’s recommendations and guides to keep your data secure on their platform. Another option that some companies prefer is a hybrid solution that uses both local and cloud storage. This redundancy will help you prepare for the types of disasters / challenges your area may face.

Incorporate the Components of an Effective Data Inventory Program

According to the National Cyber Security Alliance, a data inventory program starts with a detailed inventory list of data and physical assets. Record the manufacturer, make, model, serial number and support information for hardware and software. For software, know the specific version that is installed and the last time it was updated. Know where data and technology are stored and categorized and who has access to both, including access to any backups. Keep this list updated routinely by considering how long you plan to keep the data. For example, if it’s supplier data, will you keep it until you are no longer working with that supplier? Or are you mandated to keep it for a set amount of time?  Routinely evaluating and keeping the inventory up to date will keep you ready and prepared when challenges arise.

Use Stay Safe Online as a resource for additional information, and watch our blog for additional posts in this series.