1. Know what the company’s intellectual property is, where it lives, and who should have access.
For most companies, not every piece of data is considered intellectual property – so identifying which data is most sensitive helps in prioritizing what to protect. Companies should look at every piece of data and consider what might happen if it ended up in the hands of a competitor. If such a breach would be detrimental to the company, that data is worth protecting. Much of the company data that needs to be protected, including financial statements, client lists, and customer data, is easily identified. But companies also must consider who should have access to this data. For example, employees should not have access to data that is not part of their duties – even if the information is sales reports, client lists, or other data that seems like basic company information.
2. Determine the scope of protection that’s appropriate for the company.
For most businesses, every single piece of data is not created equal, and data protection is not a one-size-fits-all endeavor. Depending on the size of the company, the industry, and any applicable regulations, one organization’s data protection plan might look very different from another’s. For a smaller company, security measures that require a large outlay of time or monetary resources might not be the right fit. Or it might be important to selectively implement more stringent security measures on specific data. Our team tells clients, “If you’re going to purchase an alarm for only one car, you’re going to protect the more expensive model.”
3. Determine the types of protections needed.
These are some of the most common data protection options:
- Data security/companywide password policies. Every organization, regardless of size, industry, or amount of IP, should have rigorous password policies in place. Best practices include requiring regular password resets, setting parameters so that passwords are complex or not easily determined, and prohibiting shared passwords so that the company can identify exactly who is accessing data at any given time.
- Email phishing protections/training. Having both internal phishing protections and required training to teach employees not to click on links in email is vital – it takes only one person to expose the entire company. Training should be part of the onboarding process and occur again during regularly required updates.
- Multifactor authentication (MFA). With the evolution of technology over the past few years, MFA has moved from a fringe option to commonplace – in fact, it’s part of most online platforms (including social media and email). A good measuring stick for any security technology is that if online platforms are already using it, other organizations should follow suit (if they haven’t already).
- USB restriction. This option is used most often in larger companies, as a policy restricting USB use can be difficult to implement. However, it can go a long way in preventing theft of company data and IP and works well alongside other security measures.
- Data loss prevention (DLP) software platform. DLP software allows IT administrators to monitor what information is sent in and out of the company (including through USB devices). In addition to being highly effective at protecting IP, a DLP platform can help piece the puzzle together if a company does experience data theft. That said, it’s an extensive protection, so it’s usually sustainable only for larger organizations.
- Access controls. Access controls allow IT administrators to restrict access to certain drives, devices, and data to identified individuals or teams. This simple step can protect IP and locate any issues.
- Alerts. Along with access controls, IT administrators should set up alerts to notify them if anyone tries to access a restricted server or drive. Because of the time investment involved, alerts are most useful for larger companies, companies with significant investments in research and development, or companies with proprietary technology or products.
- Exit interview strategy. When an employee leaves the company, human resources should conduct an exit interview that includes asking about data access – specifically PINs and passcodes on company cell phones, external storage devices used, and any hard copies that should be returned. Additionally, the human resources representative should remind the employee not to reset company phones or computers, identify any and all assets that were signed out and make sure they were returned, and coordinate with IT to restrict the employee’s access to company files and systems.
4. Have a trusted resource ready before things go sideways.
Companies don’t want to be looking for digital forensics specialists after an IP theft incident occurs. It is worthwhile to establish a relationship with a trusted team that knows the business before an issue arises. But it’s important to remember that not all firms are created equal. Companies should find a specialist that can review and consult on current procedures and policies as well as suggest ways to fortify the protections already in place. Because technology and the markets are constantly evolving, this should be a continual conversation, not a one-and-done event.
While this is not an exhaustive list of ways to protect data, it’s a great starting point for creating a comprehensive data protection plan. And the best time for an organization to start implementing these steps and policies is now – before an incident occurs.