Keeping Data Safe

Almost every computer today has access to considerable quantities of sensitive information regarding their customers. As a result, it has become critical to have the proper controls in place that fully protect customer data and company information. Even the slightest data breach can lead to irreparable damage to a company’s reputation, as well as lawsuits or regulatory fines.

Companies involved with credit and collections can face an infinite number of data security risks. While the term “identity theft” has become synonymous with the thought of computer hackers, the truth is that there may be vulnerabilities within your own operations that frequently lead to accidental privacy violations - which can be equally damaging. The risk of data loss through the internet is obvious, but the security risk that are involved with people taking work home via laptops, portable USB devices, services like Dropbox (free) etc. can be overlooked. In this regard, important considerations include whether you have a system in place (and a policy) that ensures your employees are shredding all sensitive documents or have limited access to sensitive data.

Here are some questions to consider when determining how well your company is identifying and tackling the risks of data loss:
  • Are the appropriate resources readily available to do an effective assessment of risk and install more effective controls if necessary?
  • Is redundant customer data disposed of securely?
  • How is all customer data stored in electronic databases?
  • Are the proper controls in place to limit access to customer data and prevent it from being misused, lost or stolen.
How the questions are answered may make it immediately clear what the necessary next steps are in order to provide the greatest security to your customer’s data. Implementing the following framework will be a strong start in mitigating the potential risks:

Centralizing data storage. Your customers’ sensitive data should be stored in a central database that is securely monitored and protected. Important customer payment information such as credit card numbers should be encrypted securely and located on a non-internet accessible location and not saved in individual computers or other devices.

Implementing multiple layers of security. To eliminate unwanted intrusions to your network, one layer of security is simply not enough. Multi-level hardware firewalls, virus and malware protection software and a secure SSL. Internet connection are just a few lines of defense that can safeguard your customers and your institution from harm.

Limit access to your server room. Entrance to the server room should be off limits to your staff other than the IT department. Cipher-locked key pads or security codes are one way to restrict access to only those who have been granted permission. If an employee with access to the server room elves the company, all key cards and security codes should be changed and reissued.

Prepare for disaster. If a data breach happens, the last thing you want is to be caught unprepared. Set out a dedicated disaster recovery plan for the handling of sensitive customer data and a clear communication plan, both internally to employees and externally to your customers. Be sure to thoroughly investigate the source and cause of the breach to your system and identify the controls that need to be implemented to prevent a second incident from occurring.

Eliminate obsolete data safely. Any data that is redundant or deemed obsolete should be promptly removed from the central database and destroyed securely and permanently. As a best practice, data should be digitally overwritten to prevent any data from remaining intact.

Source - Harry Stephens President/CEO, Datamatx

Note: CFA does not represent or warrant that the information accessible via this blog or links from this blog are accurate, complete or current. This blog is for information purposes only. CFA will not be liable for any damages of any kind arising from the use of this blog or website including but not limited to direct, indirect, incidental punitive and consequential damages.