When your company’s policies around PTO and travel reimbursements are solid, they can remain unchanged for years. Data security policies, on the other hand, require frequent updating. As technology advances, so do the strategies and scams used by data thieves. Creating and enforcing clear, comprehensive policies about security protects your employees, your customers and your company. Every organization’s data security policy should be specific to its needs, but addressing these five critical areas is a good place to start.
Protection of Company Devices
More than 40% of American employees work remotely at least part of the time, according to a 2017 Gallup survey. If your employer allows remote working, a ton of data leaves your premises on company-issued laptops, tablets, phones, external hard drives and other devices. A data security policy should lay out rules that address things like connecting to public networks, safeguarding devices and maintaining firewalls and other security programs.
Email and Password Guidelines
In any company, there’s bound to be at least one staffer who doesn’t realize that “123456” isn’t a very secure password. Even employees who use strong passwords may not think to change them regularly, especially after security breaches. A security policy should require employees to use passwords that meet strict criteria, which may vary by job function and security clearance levels. The policy should also warn against sharing passwords, set standards for how often passwords should be changed and lay out rules for how employees may store information about their passwords.
A comprehensive data security policy should also address email security. Employees may be required to log out of email programs when they’re not in use and be vigilant about phishing and other email scams.
Data Monitoring
Knowing who’s accessing the organization’s data is essential for employee accountability, and for early intervention when a breach happens. Include language about data monitoring in the security policy. Clarify the activity that is being watched (Internet usage, network logins, etc.) and remind employees about best practices.
Incident Response
Mistakes happen, and data thieves are constantly developing new techniques. Every data security policy should address the possibility that a breach will happen, whether it’s an assistant losing a thumb drive or a coordinated attack on the company’s financial files. Include procedures for reporting an incident when it happens. Establish a breach response team, if one doesn’t yet exist. The response team should also have policies in place handling security breaches when they happen.
Data Destruction
Data is especially vulnerable once it’s no longer in the hands of an employee. Be sure to include procedures for destroying devices that are capable of holding data. The policy should be specific about what types of devices and physical documents have to be turned over to the company for destruction. Establish a chain of command so employees can consult the policy to find out to whom to forfeit unused devices. The point person in charge of collecting those obsolete devices and files should also be coached on how to arrange for it to be thoroughly and securely destroyed.
Northeast Data Destruction can take it from there. Contact us today for a quote.