Why you need a data protection policy

It’s easier than ever to share data and files in the workplace. That’s a huge benefit, but it also raises some issues. Here’s how to handle them.

Understanding the value of your data

All data has value, even if it’s not immediately apparent. But some types of data are more valuable than others. We can break this down into two main types:

Your business data. This is valuable because it contains sensitive information that helps you stay competitive. That includes financial or accounting details, client contacts, project information, intellectual property (IP), staff salaries and so on. If it leaked out then you may lose your competitive edge – and maybe more.

Client data. You might be entrusted with sensitive information about your clients. This could include their IP, some of their financial information, expansion plans and other ‘secret’ data. If this leaked out you may find yourself on the wrong end of a lawsuit, and highly embarrassed too.

Data leaks have seriously damaged many businesses over the years, some of them terminally. Often law-enforcement agencies get involved, for criminal prosecutions.

But there are other risks too. Ransomware is increasingly common. This involves company data being encrypted by hackers’ malware, then a ransom being demanded for the decryption key. Many companies pay up rather than lose their valuable data, but it’s a big price to pay for poor data security.

To help prevent all of this happening to your company, it’s important to have an effective data protection policy.

How are your staff sharing files?

Sharing files and collaborating on projects are vital for many businesses’ operations. But there’s a right way and a wrong way to do it. The right way is to have a secure internal system through which your staff can work freely – but which nobody outside the company can access.

According to Delia Gill, Managing Director of Wellington-based solutions provider IT Engine, there are plenty of examples of companies getting it wrong. “One company allowed each staff member to set up their own personal Dropbox account. This worked until a key employee resigned… taking his password with him.”

It’s important to keep control of accounts within the company. That way, when an employee leaves, you’ll still have access to the data.

Using free online storage accounts is unwise anyway, unless they’re properly incorporated into your IT system. They are often unencrypted, which means that anyone can access your data if they know where to look.

Password planning

Passwords are the gatekeepers to all your data. They need to be strong and secure, and also changed regularly.

Managers need to be careful here. They must respect their employees’ autonomy and privacy, but also need to access leavers’ accounts if necessary. A good data protection policy will incorporate this balance.

BYOD – but keep it secure

BYOD (bring your own device) allows employees to use their own laptops, phones and tablets. If done properly this can save costs and boost productivity.

But if done badly it’s a recipe for disaster. Unsecured devices could be hacked or could infect your IT system with malware. So before going down the BYOD route, talk to your IT provider for advice.

Working from home

Flexible working can increase productivity but, like BYOD, it can also increase risk. No sensitive data should be stored on employees’ home devices, and all logins should be through highly secure channels.

Good anti-malware tools are essential, as are regular updates and security patches. In fact it’s often more practical for you to provide secure laptops for your employees than to let them use their own.

Securing mobile devices

At the very least, every work phone must be PIN-secured so that its data can’t be accessed if it’s lost. Restricting the type of apps installed on work phones is also wise, since many apps have been shown to contain spyware or malware.

“Do a spot-check,” says Delia Gill. “Every so often ask for someone’s work phone and check that it’s secure. If not, that’s a serious breach of security, for you and for your clients.”

Mobile devices are particularly vulnerable to hacking, theft and loss. For this reason they must be properly secured at all times.

Educating your staff

One of the most important features of a data protection policy is educational. Many new employees will have no idea about the risks involved when sharing data.

Hacking is now big business, and professional hacking teams will target companies both through conventional hacking methods and by email or even phone call.

By explaining the serious nature of the risks, you can change your staff from targets to protectors, actively looking after your firm’s data.

A policy to keep your business safe

Without a data protection policy your business is flying blind. No policy means no management, no oversight, no real understanding of the risks. So when – not if – problems occur, without a data protection policy you’ll have no plan for dealing with them.

So make sure your employees are aware of the risks and following best practices. Talk to your IT provider about drafting a data protection policy for your company. With their help you can keep your data – and that of your clients – safe and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>