As computer usage becomes more and more mobile and hackers become more plentiful, the risk for corporate data to fall into the wrong hands, either through a lost or stolen device or through an online hacking event steadily continues to increase. The idea that only large corporations incur significant data breaches is simply a myth. Even smaller businesses are vulnerable to data theft by a disgruntled employee, an email scam or a misplaced mobile device that was never recovered. In this post, we will outline five factors to consider when creating a comprehensive data security plan.
Companies need to be conservative when assigning data access rights to their employees. Some employees don’t need to see certain types of data at all and others might need view-only access rights. To protect data integrity, only those who need read and write privileges in order to conduct their job duties should be granted those rights. Companies also need to tell their employees not to indiscriminately share private data and passwords between each other, unless they know for certain the other employee has clearance.
A Strong Password Policy
Every IT administrator should enforce the policy of using strong passwords, both for mobile devices and office computers. Strong passwords include both upper and lower case characters, numbers and special characters as well. IT administrators should also force employees to change passwords every 30-90 days, along with preventing staff members from simply alternating between two passwords. Admins also need to instruct employees not to use personal information such as date of birth, names of children or pets, SSN etc. for their own personal protection.
Using Personal Devices
If a company allows their employees to use their own devices for work-related activities, employees need to agree to whatever security measures their employer decides to institute. Company admins need to have a plan in place to add those security measures, monitor them to ensure their usage, and have a plan in place to remove corporate data access from the devices when the employee terminates their position. Employees must also be instructed to immediately report a lost or stolen device to their employer.
IT admins should conduct regular checks to look for idle user accounts and shut them down after a designated period of time. In addition, they should perform regular inventory checks to determine the whereabouts of all devices, both mobile and stationary, that are typically used for work-related activities.
A Thorough Termination Policy
Some employees are involuntarily terminated, whereas in other cases an employee voluntarily leaves their position after giving one or two weeks notice. Either way, companies need to have a proactive plan of action in place before these situations occur. Ideally before firing someone, a thorough accounting of all their data access points should be compiled and shut down before they are escorted from the building. In the case of voluntary termination, it is up to the employer if they want to continue to grant access until the employee’s last day of work.
If you would like to know more about creating an effective data access security plan for your organization, please contact us.