Protecting Data from Prying Eyes | DCR Workforce Blog

Protecting Data from Prying Eyes

Protecting Data from Prying EyesAs professional hackers flexed their muscles, September turned out to be the cruelest month for all those who trusted their data to the World Wide Web. Over 5 million Gmail users and an untold number of celebrities lost sleep over hacked usernames, passwords and photographs which were not meant for the public eye; while customers of Target and Home Depot (to name some targets of the cyber-attacks) were jolted to know that their credit and debit card data was breached.

Today, most people enjoy the flexibility of having their data, be it official or personal, in the cloud. We champion the flexibility offered by anywhere, anytime data and take advantage of various services from across global locations. Are we also aware of the potential threat of allowing unauthorized access to our customer data, as was painfully learned by many banks, hospitals and other organizations? These cybercrimes have gone well beyond the geeky high school kid that hacks into corporate systems just for bragging rights. Today, they are perpetrated by syndicates, or by a team of one or two individuals with the required knowledge and expertise.

We discuss some of the causes for such data breaches and how you can protect your organization from a possible breach, by securing your data. :

  • Have a strong IT security policy which is standardized across the organization and its various departments. Identify a security officer. Regularly conduct executive-level reviews of your security policies, activities and breaches.
  • Require all potential vendors – or any third parties who would potentially have access to your information – to provide details on their ability to keep that information secure.
  • Store all data within highly secure data centers with trustworthy ISO or SSAE certifications. Encrypt all data in transit and at rest. The cost of encryption will need to be considered against possible losses from potential data breach.
  • Reserve the right to screen and reject any third party contractors employed by your vendor, and ensure that the contract between the vendor and each subcontractor is bound by the terms of your IT security policy, setting strong repercussions in case of a breach.
  • Conduct a risk assessment analysis of your vendors and require them to plug any loopholes as a condition of continued business.
  • Constantly upgrade against spyware and malware which could leave the door open to a larger attack, through periodic iterations.
  • Never leave a loophole unattended after it has been detected.
  • Have a defined security strategy and set up defensive systems to protect critical information and data pertaining to you and your customers alike.
  • Invest in an intrusion detection and prevention system.
  • Remember that data in a cloud is also physically located on some server in some remote, offsite center, and has to be kept physically secure. So, it becomes necessary to verify the quality of the center and its compliance with the security requirements stipulated by you.
  • Employ a role-based data access system that limits what can be seen, accessed, and modified depending on the position and job responsibilities of each individual.
  • Ensure that all systems capture an audit trail of every transaction. Conduct regular audits of all systems. Commission an annual audit by an independent third-party, and implement the changes suggested as a consequence of the audit.
  • Establish a policy as to data access via mobile devices. Consider who, when, where, what and why!

In developing a data security plan and program, each organization needs to weigh the potential impact of a security breach against the costs associated with the controls put in place. Some possible losses from data breach could include business disruption, cost of response, loss of customer loyalty due to the negative publicity, damage to reputation and potential litigation and the liabilities ensuing from them.

The most important thing to remember is to never to feel secure – as security for online data is a moving target.

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Lalita is a people/project manager with extensive experience in operations, HCM and training and development across industries like banking, education, business consulting, BPO and information technology. She believes in a dynamic approach to life and learning as change is the only constant.