August 16, 2019
Everyday Best Practices for Managing Data Security Risks
by David M. Wilson, Esq., Kegler Brown Hill + Ritter
Most businesses have begun to realize that privacy and data security are business issues, not just technical issues. While IT departments may do much of the heavy lifting, every employee is involved in keeping your business secure.
There are plenty of laws, regulations and requirements your business might have to comply with, such as Ohio laws, the California Consumer Privacy Act, and requirements buried in contracts that your business has with its vendors and customers. While your compliance with those are discussions to have with experienced counsel, there are a number of general best practices that are generally applicable to every business and relatively easy to follow.
One of the most common threats to data security includes a practice commonly referred to as spear phishing. This tactic includes the use of emails that look normal and ask you to open attachments, click on links or reply with information. To combat this tactic, it is advisable to think twice and pay attention before clicking on links or opening attachments. When in doubt, call the person who reached out to you and verify their request – do not use the phone number included in the email, look up the phone number through a genuine source.
Ransomware is a program that holds your computers and data hostage. To combat this tactic, keep your computers’ operating system and software up to date. Most updates involve improving security and closing back doors that bad actors may potentially use to deploy ransomware on your system. It is also advisable to utilize traditional antivirus software for reactive protection. One of the most helpful tools to combat ransomware is the use of regular backups. If your system is regularly backed up, and a bad actor attempts to hold your system hostage through the use of ransomware, you may be able to restore your system without negotiating with the bad actor.
Speaking of accessing information outside the office, mobile access carries all the same phishing concerns, along with additional dangers of laptops and other devices being forgotten at the coffee shop, devices being stolen, or simply protected information being read over shoulders. It should go without saying at this point, but avoid doing anything sensitive over public WiFi – always assume that a third party can see and access the information that you are sending and receiving over public WiFi. And protect your laptops and mobile devices by using the most current operating system and software, and update whenever updates are available.
It is possible for mobile devices to be lost and stolen, so take extra steps to limit others’ ability to physically access them. You wouldn’t leave your front door wide open when you’re not home, so turn on your device’s passcode lock/pin. Enable wiping and device tracking to help find your missing device, or ensure your data won’t be accessed. In addition, it is generally advisable to log out of programs and webpages when you’re done with them and not to store usernames or passwords in your devices.
Larger data protection decisions, like bringing your operations into compliance with applicable laws and contractual requirements, require deeper evaluations of your policies and practices and need the participation of experienced counsel. However, protecting your business also involves ensuring that everyone within your organization understands and follows the requirements and general best practices, such as those outlined above.