How to Keep Your Company’s Data Safe

Whether you call it a cyberattack, a data breach, or getting hacked, this event can be defined as:

• a) an attempt by hackers to damage or destroy a computer network or system, or
• b) unwelcome attempts to steal, expose, disable, or destroy information through unauthorized access to computer systems.

Don’t get too hung up on the terminology, said Jackson. “Even IT people are constantly learning new techniques and terms,” she shared. One key term to know, however, is PII = Personally Identifiable Information. “That’s the essence of data,” she explained, adding that originally, PPI meant social security numbers and birthdates, but the definition has grown. “PPI is any key information about a person or entity that could be used in a negative way.”

‘Security is a process, not a product’

It’s important to remember that security is an ongoing process, not a product, said Jackson, explaining that “the days of just buying antivirus software and calling it a day are long gone.” Security should be combined with the overall running of the business, and it should be on everyone’s to-do list.

As new laws related to cybersecurity emerge, companies are going to be encouraged to hire and/or identify employees to fulfill specific roles and responsibilities, such as security officer and data protection officer. Jackson advises companies not to outsource their security. Internalize the knowledge, the plan, and the process, and then if necessary, you can hire someone outside the company to help support you.

Some of the issues employees or departments tasked with data security may address include:

Security assessment. One of the most important things you can do is to establish a baseline and close existing vulnerabilities. Shockingly, there are many high-level executives at major companies who write their passwords on a sticky note on their desks, said Jackson.

Spam email. Most attacks originate in email. However, every form of communication can have a form of spam—including calls and texts. You must anticipate that and educate your staff.

Passwords. While the most secure password is 24 characters, a minimum of 8 digits is recommended, and 16 digits is better. Help your staff manage their passwords with software, and encourage them to change their passwords frequently. One of the top ways hackers can access a system is through old passwords.

Advanced endpoint detection and response. “This simply means you have a monitoring tool on your equipment, from your phone to your servers,” said Jackson.

Security awareness. Train your users often about data security and your policies and procedures.

The basic security measures that companies should have in place include multi-factor identification, encryption, a firewall, a backup process, and computer updates.

“Updates are crucial,” said Jackson. All of the products and vendors you’re using have a vested interest in their customers not getting attacked, so they are constantly working on security vulnerabilities and updates.

Business security best practices

Among the many practices and tools that Jackson shared, she called out in particular the new regulation from the Department of Defense called the Cybersecurity Maturity Model Certification (CMMC). At some point, companies working with the government will likely be required to be CMMC certified.

Having an emergency management plan is a requirement of the Department of Labor. All companies need to have a plan in place that addresses weather, disaster, or any other security issues you can have beyond IT security. “A fire can be as damaging and as much of a risk to your data as a hacker,” Jackson pointed out.

While these measures may seem overwhelming all at once, think of your security processes and practices in terms of levels. Level 1 might be “basic cyber hygiene” (e.g., getting employees to stop writing their passwords on sticky notes!) and Level 5 could be advanced security measures you might see in a large international organization.

“You’re looking to elevate your company over time to the security maturity level that fits your organization,” Jackson explained.

If you’re a business-to-business company, for example, your social media and internet exposure is not to the general public and so you can have a lower level of security maturity. Doing anything at all will put you ahead of the curve. Shockingly, Jackson said that of the 17.2 million companies in the U.S., the top 5 percent have only Level 1 security maturity.

How to get started: plan, record, and protect

What should companies do first? It starts with identifying what your assets are and where they are located. “The most important aspect of security is to take time when you’re not in the middle of an emergency or attack to actually take inventory,” said Jackson.

Plan. List all the tools that are storing your company’s data. This includes all software and vendors, plus everything from Outlook all the way up to a major accounting system. Consider creating a Plan of Actions & Milestones (POA&M), a document that identifies and plans tasks as well as the resources required to accomplish them.

Record. Identify and record each detail of each asset, and create digital backup records.

Protect. The 3-2-1 Backup Rule is an easy-to-remember acronym for a common approach to keeping your data safe: keep at least 3 copies of your data and store 2 backup copies on
different storage media, with 1 of them located offsite.

Jackson urges businesses to prioritize their data security for their own and their customers’ peace of mind. “You can put a plan in place, have defined goals, and feel confident that you’ve done everything you can and have achieved the security maturity level that will work for your organization.”

Don’t forget about the user experience

While you may think cybersecurity only involves protecting your internal data and systems, keep in mind that it involves your users and overall business, too. After all, your users need to trust that they can safely visit your site and share data and information with you. They need to know that what they share will not be compromised, and that you will do your due diligence to keep your data and systems secure.

Consider, for example, the massive data breach that happened to the Utah Food Bank, a nonprofit in Salt Lake City. Hackers walked away with the personal and financial information of more than 10,000 donors. As a result, the Utah Food Bank had to do what many states require businesses and organizations to do in the event of a data breach: pay for a full year of credit monitoring and identification restoration services to the donors whose data was stolen. In addition to this unplanned major expense, they suffered the inevitable mistrust among donors that happens after a cyber attack.

While Utah Food Bank survived the colossal attack, not every company or organization does, particularly small- and mid-sized businesses. If your site goes down because it has been compromised, the trust you worked so hard to build with customers or members can wane. Sometimes, all it takes is one incident to change someone’s perception of a business. Repairing and mending the relationship take much longer.

Interested in takeaways from other executive leadership roundtables? Read “6 Tips for Managing Remote and Hybrid Teams.”