Corporate data protection: how to ensure information security
If you have just founded a startup or are thinking of starting one, there is one subject in particular that you simply cannot afford not to know in depth: it is the subject of data security.
Digitization offers businesses many opportunities and benefits, but it also presents some pitfalls that can have serious repercussions on the fortunes of a business: one among them is the possibility of financial data and other sensitive information falling into the wrong hands.
Do not underestimate this aspect: business data, in fact, are among the most valuable assets a company has. The adjective “valuable” is not chosen at random. In late 2019 Thomas Harrer of IBM said:
“In the next 3 years, the value of data will increase, making it even more valuable than it is today. The more efficient data storage is, the greater the benefits to your business will be.”
The facts today unquestionably confirm his “prophecy.”
It’s time, then, to understand why business data is really so valuable and to find out how you can ensure the security of your startup‘s data.
The importance of corporate data protection
Business data represent the history, distinctive features and uniqueness of your startup. We can say, therefore, that it is with this information that you have the opportunity to secure a competitive advantage over competing companies.
The importance of protecting your company’s data, therefore, is related to the need not to lose a wealth of information that is critical to the strategic and operational management of your startup, but it is also (and, in many cases, especially) associated with the risks you could run by losing this wealth of data. You must also consider that protecting consumer data is not only important-it is also required by law.
Risks associated with failure to protect data
On a practical level, a failure to protect corporate data can result in different scenarios: a company could be at risk in terms of data security, for example, because it does not have an in-house IT team or properly trained personnel on the subject. A corporate website, more specifically, could be in danger because of some technical mistakes made already in the design phase but its vulnerability could also depend on the use of outdated and/or insecure software.
All these failures leave the door open to different types of events that can undermine data security. Your mind, at this point, will probably have immediately gone to external cyberattacks aimed at getting hold of financial and other sensitive information; you should know, however, that cases of misappropriation of data attributable to co-workers or employees are also not uncommon.
Whatever the triggering event, remember that any “crisis” could cause your startup financial damage (even very significant) and compromise (sometimes irreparably) the trust of your customers and your investors.
Corporate data protection plan
Also in light of what has just been said, it will be clearer to you now the need to put in place an enterprise data protection plan for your startup.
Such a plan cannot and should not result in a one-time intervention to solve the individual vulnerability, but should consist of an ongoing process aimed at preventing each threat and minimizing its possible effects.
There are many steps to put into practice, and for some you may need the help of professionals, but it is essential that you are clear on a few points. We have called them the 3 cornerstones of enterprise data security management.
Corporate data access and confidentiality
In order to be truly effective, a corporate data protection plan cannot disregard certain cornerstones, the first of which concerns access and confidentiality of corporate data. This means that one must first identify all the data available to the company and also who within the company has access to that information.
Software and backup
Regularly using reliable and up-to-date protection software is, as already pointed out, very important.
Another absolutely necessary practice is to periodically perform a backup of company data. To minimize human error, the ideal solution is to automate this activity. It is also a good idea to provide a dual destination for backups, one local and one remote (the advice here is to use an encrypted cloud solution).
External attacks generally target technical flaws in the system, but they can also leverage human vulnerability. It is often the case that employees do not know the principles and rules of data security, which is why it is necessary to provide adequate training for all staff, even those who do not have direct access to sensitive data. In fact, they too are required to maintain discreet conduct regarding their data.
In order to properly train employees, it is necessary to organize periodic meetings on various topics (from “how to avoid threats from the Web” to “how to securely copy data and work documents,” via efficient and secure management of personal and work passwords). It is also very useful to identify a specific figure to whom everyone can turn for any clarifications or concerns.
Protection and integrity of corporate data: basic precautions
Now that the pillars on which a corporate data protection plan must rest are clear, it is possible to get more specific and analyze some useful tricks.
Backup and Disaster Recovery
Have you ever heard of Disaster Recovery? These two words refer to the approach a company takes to restore the operation of its IT system following a critical problem, which may be related to an external attack or human or technological error.
The loss of business data is a very important damage to a company, and it is therefore essential to minimize its effects by restoring the system as soon as possible. A periodic data backup allows this to be done, but it must be done with certain cautions (some have already been mentioned).
It is necessary for the backup to be made on a device other than the one on which the system is usually run-otherwise, a critical system error would result in the loss of the backup copy as well.
There is, then, one more trick to follow: you need to check the status of the backup periodically so that you can be sure that you can restore the system in case of data loss at any time.
Password management is one of the most sensitive aspects of corporate data security: using these access keys is, in fact, an extremely valuable security measure, but only if proper precautions are taken.
It is necessary, first of all, to choose sufficiently complex passwords, avoiding short and “trivial” passwords (for example, passwords built on the personal data of the person setting them, such as first and last name or date of birth, are “trivial”). It is also crucial not to choose the same alphanumeric sequence as the access key for different devices and programs.
Finally, all company passwords (or, at least, the most important ones) should be changed periodically. On this last aspect, a clarification is necessary: it is possible to schedule automatically (every few months) the notification for changing the password.
Roles of privilege for each employee
Earlier we talked about “most important” passwords; as you are well aware, there are more sensitive operations within a company than others, and that is why it is necessary to take an additional measure to safeguard the security of company data: precise skills and responsibilities must be assigned to each employee, reserving roles of privilege for only a few in order to protect the most confidential information.
Protect LAN and wireless networks
To minimize the risk of being subjected to external attacks, you need to properly protect your corporate networks and your entire IT infrastructure. You should know, in this regard, that wireless networks are the ones most easily evaded by malicious attackers and, as such, require special care when configuring them. Don’t worry: there are several solutions on the market to securely encrypt them.
Arming Yourself with Effective Firewalls and Antivirus
There is one last (but certainly not least) useful expedient to ensure an adequate level of security: you must equip yourself with effective firewalls and antivirus software.
Do you know the difference between these two solutions? The former filter traffic between an internal network (or LAN, local area network, as, for example, is the internal network composed of a company’s computers) and the external network (i.e., basically, the Internet as a whole), ensuring the security of the LAN. Antiviruses, on the other hand, act at the machine level (a pc or server), preventing viruses from entering the system and, eventually, eliminating malicious programs that have already infected the system.
Theft of corporate data by “disloyal” employees
Training employees in data security is not enough: we also need to check that none of them, perhaps because they are dissatisfied with their role in the company, voluntarily treats that confidential information illegally.
Do not underestimate this risk: cases of “disloyal” employees misappropriating company data and/or disclosing confidential information to third parties are not uncommon.
Sensitive corporate data: risks of disclosure
The previously mentioned “unfaithful” employee misconduct can result in practice in some actions that can seriously damage the company. Listed below are the most common ones:
- deletion (or modification) of business data;
- disclosure (with and without a profit motive) of confidential company data for the purpose of harming the company;
- selling data or information to competing companies in exchange for money;
- violation of non-competition agreements;
- use of the misappropriated data for personal and profit-making purposes;
- extortion and blackmail against the rightful owners of the data.
GDPR and corporate data: what the regulations require
The GDPR (an acronym for General Data Protection Regulation), which came into effect on May 24, 2016, and will be in effect as of May 25, 2018, has introduced major changes to privacy regulations, with significant repercussions on how companies process personal data as well.
The main changes introduced by the GDPR, in this regard, are two:
- any party requesting the use of personal data is obliged to specify for what purpose and for how long it will be used;
- you can request, under certain conditions, that your personal data be deleted.
Regarding corporate data security, it is important to be clear about the distinction between personal data about individuals and data about companies: as you can read on the European Commission’s website, “the rules apply only to personal data about individuals; they do not regulate data about companies or other legal entities.”
However, you should know that “information about sole proprietorships may constitute personal data in the event that it allows for the identification of a natural person,” and that “the rules also apply to all personal data about natural persons in the course of a business activity, such as employees of a company or organization, business e-mail addresses such as ‘firstname.lastname@company’ or business phone numbers of employees.”
Keep all of this in mind for your startup because disclosing certain data could expose you to steep fines.