Data Privacy Best Practices for Organizations
There are many good and relatively inexpensive practices enterprises can employ to ward off cyber criminals and limit the amount of damage if their networks are penetrated.
In 2015, protecting data privacy is no longer just the concern of chief information officers and chief security officers. According to
PricewaterhouseCoopers, it is now a core concern for 48 percent of chief executive officers. This comes as no surprise, since 2015 is predicted to again set
a new record for cyber crime, and the associated fallout thereof could potentially take down executives and their companies.
There is not now, and likely never will be, a silver bullet to completely safeguard an enterprise and the data it protects. While great advances are coming,
there are still many good and relatively inexpensive practices that can be used to ward off some cyber criminals and limit the amount of damage if a network is penetrated.
Encrypt, Encrypt, Encrypt
There is no excuse not to encrypt all data at all times, whether at rest or in motion. Indeed, there is no reason not to encrypt both the device's storage and data.
Encryption schemes can be broken, but just as most burglars look for unlocked doors, most cyber thieves look for unencrypted data. To protect data in motion outside the
firewall, use encryption via a virtual private network and device management to enforce all other desired policies. Encryption is also available for network traffic
inside the corporate firewall.
Beef Up Authentication
Inexpensive enterprise password management tools should be used at every enterprise. These tools can be used along with policies to enforce strong passwords,
regularly changed passwords and two-factor authentication. Though many users have adopted password management tools for their own devices, they should also be
mandated on every device that is authorized to access corporate data.
As biometric authentication schemes using fingerprints, retinal scans and activity
patterns become more widespread, stronger and more user-friendly two-factor authentication schemes are available. Also, never keep system IDs and passwords in
unprotected text files.
Harden All Endpoints That Access Corporate Systems
Whether an enterprise limits employees to company-supplied endpoints or permits bring-your-own-device policies, every device that is allowed to access corporate
networks and data should be managed with device management tools that enforce all corporate security policies.
Your organization is only as secure as its weakest
endpoint. In one recent incident, a bank
had updated all its servers to require two-factor authentication. Unfortunately, the bank missed one server among its thousands. Guess which server provided the access
to cyber thieves? That's right — the only one they missed. As with encryption, there are methods to spoof two-factor authentication that might have worked, but the bad
guys went for the weak link.
Get Rid of Inactive Data
Old non-production applications, old devices and
old tapes all need to be taken offline, secured if retention is required and securely destroyed if they are not needed. Thieves cannot steal what they cannot see.
Stop Creating Smoking Guns
For a long time, lawyers advised their corporate clients to avoid creating messages they would not want to see turn up in litigation processes. These days, however,
litigation is not the only concern. Cyber criminals' top targets include financial records, health records and internal communications you would not want to see printed
in the New York Times. This can subject a company to blackmail and potential legal liability. The risk to corporate reputations from ill-advised messages can be larger
than legal liabilities.
Getting your organization on board with data privacy best practices can help you achieve enterprise-wide protection in 2015 and boost your
data storage management efforts.
Do you have questions about data management? Read additional
Knowledge Center stories on this subject, or
contact Iron Mountain's Data Management team. You'll be connected with a knowledgeable product and services specialist who can address your specific challenges.