Protecting essential information such as intellectual property and customer data is critical for businesses of all sizes. Small businesses deal with many of the same regulatory compliance demands as large enterprises, such as HIPAA, PCI, SOX, and state laws governing the protection of individuals’ personally identifiable information—but with far fewer resources than their big business counterparts. Before beginning a data security strategy, businesses must first decide how important data security is in relation to other IT goals, and define exactly what types of data need to be protected.
First, determine how important data-loss prevention is in comparison to other security concerns by asking the following questions:
1. What regulations involving confidential data must we comply with?
2. Do we know where all copies of confidential data are stored?
3. How is sensitive information being used and shared inside and outside our organization?
4. How do our employees exchange critical data with business partners and customers—and are these channels secure?
5. What would happen to the sales, customers, and reputation of our business if a data breach occurred?
Second, define what data are deemed sensitive. Once data protection is deemed a priority, the second step is to define what exactly constitutes sensitive data for your business. The definition of sensitive data can vary greatly across industries and will not be the same for a local credit union as for a midsize retail chain. Sensitive data can include customer lists, company financial data, trade secrets, intellectual property, marketing plans, credit-card numbers, employees’ social security numbers and more. It’s critical to review all functional areas—including legal, finance, human resources, marketing, sales, and others—to determine what types of data are essential to each area of the business and need to be protected.
Only after businesses have taken these initial steps can they begin to set policies that will protect their sensitive data, yet not impede their business processes. Ultimately every organization, no matter its size, must protect the information that is essential to its business.
David Meizlik Director of Web and Data Security Websense San Diego