We’ve all been there. An email meant for one person goes to a group. A document intended for your team goes out to the client instead. Red-faced mea culpas ensue …
But what happens when the document you or your team inadvertently sends out includes sensitive information that you – and your legal team – have agreeing to keep confidential? In our all-digital world, once it’s out there, it can be difficult if not impossible to get back.
These kinds of mistakes can erode trust. That makes it critical to have policies, processes, training and tools in place to protect data and information that you’ve promised to safeguard. It’s also critical to understand that this is not primarily a technology problem, even though your tools and how you use them do play an important role.
Tools to Protect Data
Let’s start with the most basic tools. Any potentially public point of access to data has to have an appropriate level of security built right into it. From SSL certificates (for every business) to “bank-level” security to protect financial and similar transactions, the security you need for your website, intranet, and online-accessible databases will vary depending on the information you are responsible for and who needs access.
Two-factor authentication and token-based authentication are among the other tools to consider depending on your needs, as are database protections, server hardening, and firewall protection designed to repel attacks before they ever get close to your data.
As important as what tools you use is how you use them. Consult with experts to implement the right combination of tools, and consider regularly scheduled audits to make sure they remain in place and functioning as expected.
Tools to Enable and Control Sharing
Streamlining sharing protocols and procedures can help with compliance. Just about every content/data management tool you might use provides some measure of granular control for access, sharing, and editing and other tasks based on role or department or other user criteria. This includes even the most basic free versions of tools like Google Docs, Box, and Dropbox. And as you move up the cost and complexity ladder toward enterprise-level platforms, the tools and controls become much more sophisticated and can be customized to fit your team’s workflow needs.
Processes to Support People
Beyond those tools, you need to invest in training and processes to help your team follow the security standards you set up. Underline the importance of security to your employees. Teach them how to use the tools and processes required of them, and make it easy to do so. These three steps go hand-in-hand because compliance will be lower if there’s no understanding of overall business goals, and cumbersome processes will have team members choosing expediency over procedure even when they know the consequences.
Keeping it All Working
The key to making these tools work for you and not against you — that is, providing protection without draining productivity — is to review and update the tools and their settings on a regular basis. There is no excuse for a “set it and forget it” mindset here as threats to privacy and confidentiality change rapidly. The audits I mentioned earlier are a big part of this, as is reviewing with your team what is working well for them and what is not.
At the outset and for your reviews, be sure to include representatives from divisions across the organization. Technology, HR, sales, and marketing will all need a say. As will Compliance, of course, if your firm is subject to industry regulations.
If this is all new to you and you’re intimidated — or simply want to arm yourself with info before stepping into a meeting with department heads who likely have competing agendas — seek out examples of others in your industry, particularly those who may have experienced public missteps to see how they’ve improved their processes and tools.
You might also consider a conversation with your insurance team, as they should have experience in cybersecurity and similar areas. They should be able to bring you up to speed on the general compliance regulations that may apply to you. GDPR, CCPA, NY Shield Act may sound like so much alphabet soup, but understanding their general thrust and your responsibility to comply will help you develop a workable plan as you reconcile needs with everyone’s desire to minimize the burdens of compliance.
If you’re not a bank or other financial institution, you likely don’t need the level of protection they do. But you will be better off with a “go bigger” mentality as your starting point than working your way up from “quick, easy, and cheap.”