The CEO Refresher Websites for Professionals
Take control of your online presence
with your own professional website!

Plugging the Data Dike
by Bill Morrow


Identity theft and fraud have been trumpeted and warned against for so long that it has unfortunately become white noise to some consumers. Consumers tend to be misinformed and unaware of their options for protecting their identities from this growing epidemic. On the other hand, business executives, like you, are well aware of the need and importance of data protection and security to avoid the massive affects of identity theft on their organizations.

In this critical economic environment, identity thieves are going further than ever before to steal valuable consumer, customer and business sensitive information to make a buck. As devastating as it is for individuals to deal with identity theft, it is extremely costly for businesses attacked by identity thieves or those unwillingly exposed to risk because of employee errors and poor data privacy and security policies.

It is incumbent on businesses to protect sensitive financial and personal data and then know how to respond if that data is breached. While you think a data breach always happens to the next business, it will eventually happen to yours. Studies show 85 percent of businesses have had a data breach in the last three years, and you can count on one to three breaches occurring daily. The following is a brief data protection and security refresher for your organization as we kick off 2009.

Knowing what you have

No matter your type of business, you will find it necessary to possess sensitive personal and financial data. Employee or customer names, Social Security numbers, addresses and dates of birth are just some of the data you have acquired. Customer account numbers, credit card numbers and purchase orders are other pieces of sensitive information targeted by identity thieves.
Failure to safeguard this information presents a liability, not only in terms of lost time and money. It could also set your business up for a potential lawsuit. The Federal Trade Commission (FTC) recommends the following five principles to keep your sensitive data from the prying eyes of identity thieves:

  1. Take stock. Know what’s on your computers and in your files that an identity thief might be interested in.
  2. Scale down. Don’t keep what you don’t need.
  3. Lock it. Make sure you’re protecting the information you do keep.
  4. Pitch it. Properly and effectively dispose of what you don’t need.
  5. Plan ahead. Develop a plan to deal with security breaches.

To aid in taking stock of sensitive data, keep in mind where personal data may come from. Do you get it from customers? Are they giving you credit card numbers? Is it coming from employees?

It’s also important to know where that personal data is kept. Is some data in a file cabinet? How much is on your computer server? Can that data be accessed from any computer in your office? How much of that data is on CD, jump drive, flash drive or a laptop? Track who has access to that data and keep in mind that having access to that data and being authorized to access it are two different things. How do you know who is accessing the data? Set guidelines to determine access privileges and log data access.

Keeping information safe

Some companies hold on to every piece of data they come across, but the more data you have, the more data that could be stolen. Make periodic reviews of the sensitive information you have stored in your files, both electronic and hard. If there is no business need for that data, dispose of it properly.

If you have to keep sensitive information, either for your business or because of certain laws and regulations, develop a policy that clearly outlines what you have to keep and where it’s kept. Anything that falls outside the “must keep” parameters should be properly disposed of.

Locking up files requires physical and electronic security measures. Some personal data lives inside file cabinets. Employee information, vendor data and some customer data may reside on pieces of paper that need to be locked away, no matter where they are. File cabinets need to be secured, and limits should exist on who can access those files. Whenever those files are opened, there should be a policy in place as to where those files are viewed, whether copies can be made and instructions to ensure the files go back where they belong.

Electronic security hits on a number of levels. Depending on the type of data your company possesses, there may be a need to encrypt files within your organization. Most companies have networked security systems, but reviews should be made to ensure your security is sufficient for the type of data in your possession.

Passwords need to have a combination of letters and numbers that make them tougher to crack. Addresses, birth dates, pet names and the names of children are too easy to discover and result in a weak link in your security system. Periodic password changes also help secure your network.

Laptop security is another issue. If sensitive data is walking out of your office on a laptop, that’s as bad as taking sensitive file folders out of the office. There are times when laptops need to be taken out for presentations and work outside the office. Those laptops should be encrypted and password protected, just like your computer network.

Other places where a potential breach could occur are through wireless networks. If employees or customers are using scanners or cell phones to access your data network, those same scanners and cell phones could be used to steal data from your network.

The more access points available on your network the greater the potential for a security breach. Make sure you have systems in place that can detect breaches and then refer to your security procedures to limit the damage that comes from that breach.

Creating human firewalls

Training personnel on your security procedures is another way to protect your business. You can essentially make your people human firewalls. By practicing good data management and security procedures, your employees will understand the importance keeping confidential information secure. They will know the policies for its proper protection and help keep the flow of data within your walls.

Vendors can also be another weak spot in your data security. It is understandable that some vendors need access to your network to conduct business, but limit that access. Once a vendor is through doing what they need to do, remove their access as per your security procedures and protocol to lock them out, should they attempt to reenter the system.

Disposing of private information

When disposing of sensitive data, make sure you do it the right way. There are programs that can recreate holes and missing patches on hard drives and flash drives, so even after data is erased, there may still be a trace of information that is enough to cost you. Documents can always be shredded, but sometimes you need to take the extra step of pulping or even incinerating the materials, depending on the nature of the information you’re destroying.

Lastly, to complete your data protection and security initiative, develop and update, as needed, a proactive breach mitigation and response plan. Planning ahead helps you to mitigate your risk, demonstrate reasonable care and enable you to act quickly and responsibly in the event of a breach.


The Author

Bill Morrow

Bill Morrow is chairman and CEO of CSIdentity, an identity theft protection company that offers a comprehensive suite of business and personal security solutions targeting all aspects of identity theft. CSIdentity’s comprehensive Security Suite provides the industry’s strongest protection solutions, including identity validation, comprehensive background screenings, identity theft protection for employees and customers and data breach management. For more information, visit .
Many more articles in The CIO Refresher in The CEO Refresher Archives
The CEO Refresher

Copyright 2009 by Bill Morrow. All rights reserved.

Current Issue - Archives - CEO Links - News - Conferences - Recommended Reading

Refresher Publications