What’s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it’s stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.
Physical Security
Many data compromises happen the old-fashioned way—through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee.
- Store paper documents or files, as well as thumb drives and backups containing personally identifiable information in a locked room or in a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
- Require that files containing personally identifiable information be kept in locked file cabinets except when an employee is working on the file. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
- Require employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
- Implement appropriate access controls for your building. Tell employees what to do and whom to call if they see an unfamiliar person on the premises.
- If you maintain offsite storage facilities, limit employee access to those with a legitimate business need. Know if and when someone accesses the storage site.
- If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow you to track the delivery of your information.
- If you have devices that collect sensitive information, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.
Electronic Security
Computer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the field.
General Network Security
- Identify the computers or servers where sensitive personal information is stored.
- Identify all connections to the computers where you store sensitive information. These may include the internet, electronic cash registers, computers at your branch offices, computers used by service providers to support your network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
- Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments may range from having a knowledgeable employee run off-the-shelf security software to having an independent professional conduct a full-scale security audit.
- Don’t store sensitive consumer data on any computer with an internet connection unless it’s essential for conducting your business.
- Encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.
- Regularly run up-to-date anti-malware programs on individual computers and on servers on your network.
- Check expert websites (such as www.us-cert.gov) and your software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems.
- Restrict employees’ ability to download unauthorized software. Software downloaded to devices that connect to your network (computers, smartphones, and tablets) could be used to distribute malware.
- Scan computers on your network to identify and profile the operating system and open network services. If you find services that you
don’t need, disable them to prevent hacks or other potential security problems. For example, if email service or an internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
- When you receive or transmit credit card information or other sensitive financial data, use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit.
- Pay particular attention to the security of your web applications—the software used to give information to visitors to your website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an “injection attack,” a hacker inserts malicious commands into what looks like a legitimate request for information. Once in your system, hackers transfer sensitive information from your network to their computers. Relatively simple defenses against these attacks are available from a variety of
Authentication
- Control access to sensitive information by requiring that employees use “strong” passwords. Tech security experts say the longer the password, the better. Because simple passwords—like common dictionary words—can be guessed easily, insist that employees choose passwords with a mix of letters, numbers, and characters. Require an employee’s username and password to be different. Require password changes when appropriate, for example following a breach.
- Consider using multi-factor authentication, such as requiring the use of a password and a code sent by different methods.
- Explain to employees why it’s against company policy to share their passwords or post them near their workstations.
- Use password-activated screen savers to lock employee computers after a period of inactivity.
- Lock out users who don’t enter the correct password within a designated number of log-on attempts.
- Warn employees about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of your IT staff. Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords.
- When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
- Caution employees against transmitting sensitive personally identifying data—Social Security numbers, passwords, account information—via email. Unencrypted email is not a secure way to transmit information.
Laptop Security
- Restrict the use of laptops to those employees who need them to perform their jobs.
- Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a “wiping” program that overwrites data on the laptop. Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Wiping programs are available at most office supply stores.
- Require employees to store laptops in a secure place. Even when laptops are in use, consider using cords and locks to secure laptops to employees’ desks.
- Consider allowing laptop users only to access sensitive information, but not to store the information on their laptops. Under this approach, the information is stored on a secure central computer and the laptops function as terminals that display information from the central computer, but do not store it. The information could be further protected by requiring the use of a token, “smart card,” thumb print, or other biometric—as well as a password—to access the central computer.
- If a laptop contains sensitive data, encrypt it and configure it so users can’t download any software or change the security settings without approval from your IT specialists. Consider adding an “auto-destroy” function so that data on a computer that is reported stolen will be destroyed when the thief uses it to try to get on the internet.
- Train employees to be mindful of security when they’re on the road. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If someone must leave a laptop in a car, it should be locked in a trunk. Everyone who goes through airport security should keep an eye on their laptop as it goes on the belt.
Firewalls
- Use a firewall to protect your computer from hacker attacks while it is connected to a network, especially the internet. A firewall is software or hardware designed to block hackers from accessing your computer. A properly configured firewall makes it tougher for hackers to locate your computer and get into your programs and files.
- Determine whether you should install a “border” firewall where your network connects to the internet. A border firewall separates your network from the internet and may prevent an attacker from gaining access to a computer on the network where you store sensitive information. Set “access controls”—settings that determine which devices and traffic get through the firewall—to allow only trusted devices with a legitimate business need to access the network. Since the protection a firewall provides is only as effective as its access controls, review them periodically.
- If some computers on your network store sensitive information while others do not, consider using additional firewalls to protect the computers with sensitive information.
Wireless and Remote Access
- Determine if you use wireless devices like smartphones, tablets, or inventory scanners or cell phones to connect to your computer network or to transmit sensitive information.
- If you do, consider limiting who can use a wireless connection to access your computer network. You can make it harder for an intruder to access the network by limiting the wireless devices that can connect to your network.
- Encrypt the information you send over your wireless network, so that nearby attackers can’t eavesdrop on these communications. Look for a wireless router that has Wi-Fi Protected Access 2 (WPA2) capability and devices that support WPA2.
- Use encryption if you allow remote access to your computer network by employees or by service providers, such as companies that troubleshoot and update software you use to process credit card purchases. Consider implementing multi-factor authentication for access to your network.
Digital Copiers
Your information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extraction once the drive has been removed.
Here are some tips about safeguards for sensitive data stored on the hard drives of digital copiers:
- Get your IT staff involved when you’re thinking about getting a copier. Employees responsible for securing your computers also should be responsible for securing data on digital copiers.
- When you’re buying or leasing a copier, consider data security features offered, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting. Encryption scrambles the data on the hard drive so it can be read only by particular software. Overwriting—also known as file wiping or shredding—replaces the existing data with random characters, making it harder for someone to reconstruct a file.
- Once you choose a copier, take advantage of all its security features. You may be able to set the number of times data is overwritten—generally, the more times the data is overwritten, the safer it is from being retrieved. In addition, make it an office practice to securely overwrite the entire hard drive at least once a month.
- When you return or dispose of a copier, find out whether you can have the hard drive removed and destroyed, or overwrite the data on the hard drive. Have a skilled technician remove the hard drive to avoid the risk of breaking the machine.
Detecting Breaches
- To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking.
- Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.
- Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.
- Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized.
- Have in place and implement a breach response plan.
Your data security plan may look great on paper, but it’s only as strong as the employees who implement it. Take time to explain the rules to your staff, and train them to spot security vulnerabilities. Periodic training emphasizes the importance you place on meaningful data security practices. A well-trained workforce is the best defense against identity theft and data breaches.
- Check references or do background checks before hiring employees who will have access to sensitive data.
- Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential.
- Know which employees have access to consumers’ sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.”
- Have a procedure in place for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. Terminate their passwords and collect keys and identification cards as part of the check-out routine.
- Create a “culture of security” by implementing a regular schedule of employee training. Update employees as you find out about new risks and vulnerabilities. Make sure training includes employees at satellite offices, temporary help, and seasonal workers. If employees don’t attend, consider blocking their access to the network.
- Train employees to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities. Visit ftc.gov/startwithsecurity to show them videos on vulnerabilities that could affect your company, along with practical guidance on how to reduce data security risks.
- Tell employees about your company policies regarding keeping information secure and confidential. Post reminders in areas where sensitive information is used or stored, as well as where employees congregate. Make sure your policies cover employees who telecommute or access sensitive data from home or an offsite location.
- Teach employees about the dangers of spear phishing—emails containing information that makes the emails look legitimate. These emails may appear to come from someone within your company, generally someone in a position of authority. Make it office policy to independently verify any emails requesting sensitive information. When verifying, do not reply to the email and do not use links, phone numbers, or websites contained in the email.
- Warn employees about phone phishing. Train them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information. Make it office policy to double-check by contacting the company using a phone number you know is genuine.
- Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop.
- Impose disciplinary measures for security policy violations.
- For computer security tips, tutorials, and quizzes for everyone on your staff, visit www.ftc.gov/OnGuardOnline.
Security Practices of Contractors and Service Providers
Your company’s security practices depend on the people who implement them, including contractors and service providers.
- Before you outsource any of your business functions— payroll, web hosting, customer call center operations, data processing, or the like—investigate the company’s data security practices and compare their standards to yours. If possible, visit their facilities.
- Put your security expectations in writing in contracts with service providers. Then, don’t just take their word for it — verify compliance.
- Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.
4. PITCH IT. PROPERLY DISPOSE OF WHAT YOU NO LONGER NEED.