The Essentials of Protecting Sensitive Customer Data

Data security is an increasingly important topic to management, executives and investors. In the wake of high profile data breaches such as the one at Target Corporation, publicly held companies are becoming more concerned about the development, maintenance and effectiveness of data protection policies and procedures.

Experiencing a data breach can not only damage the reputation of a company, but can also drive customers away and often times result in damaging litigation. The reality is that as corporations implement protective measures a seemingly endless stream of new theft methods are developed. To help companies address this threat, the SEC hosted a Cybersecurity Roundtable in March to gather information on emerging threats and to discuss best practices for regulatory bodies to consider if they should develop future cybersecurity regulations.

The roundtable participants consisted of C-level executives from global SEC registered companies in dozens of industries including banking, electronic brokerages, financial firms and many others. The insights they provided were essential to understanding attack methods, developing a risk based approach, and the importance of employee education to increase organizational wide awareness and for maintaining security.

Data Protection Essentials

While there was a significant amount of cybersecurity information shared specific to certain industries, there was some broad advice that can be beneficial to most companies, including:

Cybersecurity Planning – Although the IT department may lead the charge with cybersecurity, the reality is that the planning process requires the input of multiple departments. When planning or reviewing your cybersecurity policy it’s essential to involve department heads from all areas of the company including risk management, compliance,  human resources and others to ensure there is a companywide understanding to data usage, risk exposure and solution implementation. Cybersecurity is a companywide responsibility.

Create a Data Breach Plan– One of the most important things a company can do is develop a plan for what to do if a breach occurs. Develop a plan of action for how employees should react in a data breach situation and be sure to provide guidance for various scenarios. Some companies conduct “dry runs” to see how effectively their plan and systems perform and evaluate performance. This is essential because a plan is only as effective as the people that follow it. Be sure to test it and see where there is room for improvement. A constantly evolving plan will be most effective if a real breach should occur.

Regularly Update Protection – Just because an application provides protection from attacks today doesn’t mean it’s going to be effective tomorrow. The world of cybercrime evolves at an amazing rate. Therefore, it’s important to keep updating your data protection systems to ensure you have done everything you can to protect critical data.

Additional Protection for Sensitive Data– Create additional security measures around sensitive personal and financial data. Not only does this help protect the data from external attempts to steal it, but it also provides assurances against employee error. Often times employees accidentally expose sensitive data by copying it to their workstations and saving it to their local folders. Implementing additional layers of security can prevent well-meaning employees from accessing information they don’t need to view.

Be Alert – Some companies take the approach that they will not be attacked. Unfortunately, it’s this type of attitude that reduces an organization’s ability to quickly and effectively address a data breach because they don’t believe it will happen to them. If management is not thinking proactively about data security then the chances of a breach are significantly increased.

Was this helpful? Share to your network.