Who would have thought, only a few years ago, that workplace managers would have to worry about battling cyberattacks and corporate sabotage. Data is now integral to every facet of your business, which means there’s more of it to protect, in more places, than ever before. It’s imperative to protect your systems and data against malicious hackers, information theft, and even accidental leaks. To mitigate this risk, business leaders must implement best practices for data security and evaluate third-party vendors for privacy compliance.
How Vulnerable is Your Workplace Data?
While the financial and healthcare sectors are often primary targets for hackers, the information that can be gained from corporate and customer data is astonishing. Businesses of any size and industry are tempting targets because they collect and analyze vast quantities of data that can be used for monetary gain.
Because data touches virtually every corner of your operations, addressing data security goes well beyond email. Even your IoT-enabled building equipment, such as smart thermostats, IP security cameras, and automation software, is at risk. Legacy systems, as well as the latest generation of apps, require layers of data protection. Otherwise, these digital tools can be turned into an attack vector that hackers exploit for system access.
Once inside, cybercriminals can mine your data for trade secrets, commit identity theft, or leak information to competitors. Sensitive information that is susceptible to attacks includes:
- Workforce: Head count, payroll, and staffing forecasts are prime targets. Even access to an employee directory can be tempting to headhunters looking to poach your talent or for even less scrupulous actors trying to “spear phish” or use social engineering against your employees.
- Financial: Operational costs, leases, growth projections, loans, transactions, customer lists, sales numbers, and vendor contracts are vulnerable data sets. Imagine what a competitor could do after peeking at how much your customers pay you or your pricing models.
- Privacy: Records containing birthdates, compensation, Social Security numbers, home addresses, cell phone numbers, and dependent info are always at risk as they can be used to conduct identity theft or financial fraud. And don’t forget bank account numbers used for direct deposit.
- Location: Because workplace violence takes many forms, data generated from badging, WiFi, conference room or desk reservations, seating charts, and other sensor data should be protected.
The good news is that your IT security managers have vast resources at their disposal to safeguard data. For example, data loss prevention (DLP) tools can flag a potential breach from an insider threat, cyberattack, or negligent exposure. A virtual private network (VPN) can protect your remote or traveling employees internet usage from prying eyes.
Such measures should stem from a comprehensive data security governance framework (DSGF) that assesses risk and ensures proposed controls will satisfy business objectives. DSGF is listed by Gartner®, a research and advisory firm, as one of the top security and risk management trends for 2019.
Take extra precaution to ensure your DSGF extends to all cloud-based software and third-party applications. With the proliferation of software as a service (SaaS), businesses are externally sharing a wider range of sensitive data. It’s critical to hold vendors accountable for data security.
Privacy Compliance and External Vendors
Before engaging vendors, you should ask new and existing third-party software providers one question: “How will you handle and protect our data?” You wouldn’t hire a building management company without asking about their service policies—extend this same due diligence to any digital vendors. Here are best practices to protect your workplace data and vet data processors for security governance:
- Limit Access: Don’t give an external vendor carte blanche access to your data. Take a minimalistic approach and only provide access to what is necessary for them to deliver expected outcomes. For example, SpaceIQ needs a person’s name, email, title, and department, but we don’t need to know Social Security numbers or birthdates for them to use our platform. While this information is housed in the same HR system, we need access to just a small portion of an employee’s profile. Work with your vendors to pull only the data that is fundamentally integral to executing their processes.
- Request SOC or GDPR: Industry audits, reports, and certificates are a great way to evaluate the safety and security of a vendor. Voluntary third-party verification programs such as SOC 2, Privacy Shield, or ISO 27001, help evaluate the trustworthiness of a company. While these are optional, GDPR and California’s Consumer’s Privacy Act are laws that may apply to you and your vendors. If a software provider carries any of the aforementioned certifications, ask to review their documentation and note any expiration dates.
- Include a DPA: A data processing agreement (DPA) is a legal obligation that specifies what a vendor is allowed to do with your data. More importantly, it can also stipulate what they are not allowed to do. A DPA ensures that the data processor guarantees it will protect your records and what its contractual responsibilities are in the event of a breach.
Whenever you share data outside your organization, it’s necessary to balance convenience with security. The key to finding equilibrium is to ask: “How do I minimize the risk of allowing a vendor to access my data without sacrificing the rewards and benefits their services offer?” Controlling not only who has permission to use your data but how much they can access is the first step.