During the first six months of 2014, there were 404 reported data security breaches causing more than 11 million personal records to be exposed by organizations. This is a 20 percent increase over the same time period in 2013.
Given this data, companies must be more vigilant than ever in protecting client information. Your clients trust you to keep their data safe. Here are six best practices to help you keep that trust.
First, it’s critical to keep an inventory of what systems house client data and appropriately restrict logical and physical access. We suggest a regular review of who has access to those systems as roles and responsibilities change and, of course, as staff are terminated or leave the company. This may seem obvious, but it’s an easy item to overlook. That’s why companies should have a clear process in place.
Second, if your company houses sensitive data like client Social Security numbers or account numbers, make sure you’re encrypting specific fields and databases as necessary. Be sure encryption keys are stored securely.
Third, consider conducting annual vulnerability and penetration testing. This is where a team of experts comes to your company and performs "hacking" from (a) an external location and (b) an internal office or conference room to simulate a vendor that’s gained access to your building to see what information can be retrieved. This testing should also include an element of social engineering in which the hackers attempt to deceive your employees into unknowingly providing sensitive information such as passwords. This testing will identify areas of weakness so you can make any necessary modifications to ensure data is protected.
Another assessment to consider is a service organization controls (SOC) examination, where a service auditor will objectively evaluate the design and operating effectiveness of the internal controls within your organization. Changes in technology and regulations are forcing businesses that outsource work to demand more information and assurance from their technology service providers. Your clients must be able to demonstrate that their chosen service provider (you) can ensure the security, availability, and processing integrity of your systems and, in some cases, the confidentiality and privacy of the information the systems process. In fact, if you’re a data center or a service-as-a-software company, you’re likely going to be required by your clients to do a SOC exam. Even if you’re not required to provide this report, it’s a best practice, as this third-party report on your internal controls can provide additional assurance to clients that their data is secure. Plus, your competitors may be offering these reports as assurance that they have the proper controls over data.
Next, it’s important to ensure effective preventative and monitoring controls are in place. This includes not only properly setting up a firewall, intrusion detection system, and other rules to make sure information technology staff are notified if unusual activity occurs, but also making sure there’s a plan to respond to and remedy alerts. Oftentimes, companies will have a firewall in place but no process to review the alerts; if you’re not doing anything with the information, what good is having it in the first place?
Finally, companies that store, process, or transmit credit card information will need to comply with payment card industry (PCI) security standards. Based on the number of transactions, this compliance process will include annual reviews either internally or externally by a Qualified Security Assessor (QSA) to ensure credit card information is stored and guarded effectively.
In today’s digital world, protecting your customers’ personal identities is an ongoing effort. Security breaches happen all the time, and when they do, the offending company takes a significant hit to its reputation. Protect yours. Take the steps to safeguard your client data.