Upload
vincent-davis
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
PRIVACY, SECURITY & ID THEFT PREVENTION
- TIPS FOR THE VIGILANT BUSINESS -
SMALL BUSINESS &
ECONOMIC DEVELOPMENT FORUM
October 21, 2014
-WITH THANKS TO THE W. KY. BBB-
TAKING STOCK
• Inventory all computers, laptops, flash drives, disks, home computers,
and other equipment to find out where your company stores sensitive data.
• Also inventory the information you have by type and location
TAKING STOCK
• Who sends sensitive personal information
to your business.
• How your business receives personal
information.
• What kind of information you collect.
• Where you keep the information you collect.
- Is it in a central computer database?
SCALE DOWN
• If you don’t have a legitimate business need for sensitive personally identifying information:
Don’t keep it - Don’t even collect it.
• If you have a legitimate business need for the information: Keep it only as long as necessary
SCALE DOWN
• If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify:
– What information must be kept– How to secure it – How long to keep it– How to dispose of it securely when you no
longer require it.
Security Check• If you encrypt your customers’ financial data on
your web site, DO NOT then decrypt it and email it over the Internet to a branch office in regular text.
• Regular email is NOT a secure method for sending sensitive data.
• Encrypt any transmission that contains information to be shielded from fraudsters or ID thieves.
LOCK IT
Effective data security plans cover four key elements:
1. Physical security
2. Electronic security
3. Employee training
4. Security practices of 3rd parties
PHYSICAL SECURITY• Data compromise can still happen the old-fashioned
way: Lost or stolen paper documents.
• Often the best defense is a locked door or an alert employee.
• Store paper documents, flash drives, and backups containing personally identifiable information in a locked room/file cabinet.
• Limit access only to employees with a
legitimate business need.
GENERAL NETWORK SECURITY• You may not even have IT Staff, but your responsibility remains.• Assess potential vulnerabilities of your system/ database and
follow advice of legitimate experts.• Identify all connections to computers/servers maintaining
sensitive/personal information (e.g., Internet, computers at branch offices & wireless devices/smartphones/tablets.)
• Limit the number of users and wireless devices that can access your network.
• Cost-effective options for enhanced protection: Firewalls; Filters; Anti-Virus software; Anti-Spyware Junk Blockers
LAPTOP SECURITY• Restrict use of laptops to staff requiring
them to perform their jobs.
• Assess whether sensitive information needs to be stored on a laptop. If not, delete it with a “wiping” program that overwrites data on the laptop.
• Beware of the risks of WiFi.
EMPLOYEE TRAINING
• RISKS ARE ALL AROUND US: Malware – Scareware - Phishing - Social Networking - Viruses - Keystroke Counters [Don’t invite them in]
• A data security plan may cover all bases on paper, but it’s only as strong as the
employees who implement it.
• Continual employee training re: newly arising risks and vulnerabilities is key - Create a “culture of security”
PASSWORD MANAGEMENT
• Control access to sensitive information: Employ complex passwords through mixing letters, numbers, and characters.
• Require an employee’s user name and password to be different and mandate regular password updates.
• Passwords should NOT be shared
CONTRACTORS & THIRD PARTIES
• Your business’ security practices are affected by all those who implement them, including contractors and service providers.
• Before outsourcing any of your business functions, investigate the vendor’s data security practices and compare their standards to your own.
WHAT IS “PROPER” DISPOSAL?• Reasonable and appropriate practices to prevent the
unauthorized access to – or use of – personally identifiable information.
• “Reasonable” = Based on data sensitivity, costs and benefits of disposal options & technology changes
• Shred/pulverize sensitive papers so they cannot be read or reconstructed
• Destroy/erase sensitive electronic files/media so they cannot be read or reconstructed
• Old computers/portable storage devices: Consider wipe utility programs - designed to overwrite the hard drive to prevent files from being recovered.
PLAN AHEAD• Investigate security incidents immediately and take steps to
close off existing vulnerabilities or threats to personal information.
• Promptly assess the degree of Compromise.
• Consider whom to immediately notify in the event of an incident, both inside and outside your organization - e.g., customers, law enforcement, and other businesses that may be affected by the breach.
• States and federal regulatory agencies have laws and guidelines addressing data breaches and requirements with which you must comply.
PLAN AHEAD• No one-size-fits-all approach to data security - What’s right
for you depends on the nature of your business and type of information you collect.
• Some of the most effective basic security measures - personnel training, complex passwords, securing sensitive paperwork, etc. - are of negligible cost.
• Free or low-cost security tools at non-profit websites dedicated to data security.
• REMEMBER: It’s more cost-effective in the long run to invest in better data security than to lose the goodwill of customers, defend yourself in legal actions, and face other consequences of a data breach