Steps to Protecting Your Company’s Data

Steps to Protecting Your Company’s Data

Data breaches (whether accidental or intentional) can be very costly in terms of damage to an organization’s reputation, lawsuits and regulatory fines, as well as customer loss. When comes to protecting a company’s data, even  a simple mistake like using the wrong size window envelopes can expose customer data, leading to costly regulatory fines and regulations. And when a high profile data breach makes headlines, the damage to a company’s reputation can be permanent.

Vulnerabilities that exist within your own operations frequently lead to accidental privacy violations—So what are you doing to protect your company’s data? It is a good practice to regularly conduct a risk assessment of your data security environment, and implement the controls necessary to reduce its risk.

Some questions to consider when determining how well your utility is identifying and tackling the risks of data loss include:

  • Are the appropriate resources readily available to do an effective assessment of risk and install more effective controls if necessary?
  • Is customer data disposed of securely?
  • How is all customer data stored in electronic databases?
  • Are the proper controls in place to limit access to customer data and prevent it from being misused, lost or stolen?

How the questions are answered may make it immediately clear what the necessary next steps should be.

While all of the above heads off potential problems internally by anticipating threats, what security measures should you expect when you outsource your data to a third-party provider? Much like your own security program, a service provider should also have a contingency program that includes business continuity and disaster recovery planning, as well as a redundant IT infrastructure. You will want to verify that they test their contingency plans annually and incorporate identified security gaps into their risk mitigation plans. And be sure to ask them about the security certifications they hold.

In pursuing what certifications are important, learn about the security frameworks that address the unique requirements of your industry. Companies that accept credit card payments should maintain PCI certification. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), PCI certification requires businesses to meet stringent requirements, including change management processes, continuous monitoring and maintaining seven critical security controls throughout the year.

HITRUST certification is a great option for businesses that handle protected health information. The HITRUST Common Security Framework provides a mechanism for companies to address rigorous HIPAA standards. HITRUST CSF is also mapped to several other security requirements, like NIST, FedRAMP and the EU’s recently implemented General Data Protection Regulation.

For companies working in financial services, the AICPA offers SOC 2 reporting, which assesses a company’s security program against five Trust Services Principles. As an added bonus, SOC 2 reporting is widely recognized across multiple industries. Some security frameworks allow businesses to address multiple security requirements using a single certification. The HITRUST Common Security Framework is a great example of this “assess once, report many” approach to certification. For example, the HITRUST Alliance has partnered with the AICPA, which oversees SOC 2 attestations, to offer a joint reporting process that allows businesses to use the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.

Maintaining multiple certifications ensures that your service provider engages in a process of continuous improvement and address any gaps in their security programs. With cybersecurity incidents and data breaches on the rise, a secure provider can protect your data and safeguard your most valuable asset—your company’s reputation.