We live in a digital world. Even if it is not operating in the tech space, your business is still at risk. From data breaches to holding information hostage with ransomware, there are a myriad of ways criminals can impact your business.
So how can you protect your business? Read on.
In this series, we’re sharing insights and tips to help you reduce risk to your organization, manage compliance, and stay safe.
Tip #3: Identify/classify sensitive data
If you don’t know what data you have, how will you protect it or know what needs protection?
Understanding your data is the first step in ensuring it is secure. You may dismiss this, thinking that because your business isn’t in the technology sector, this warning wouldn’t apply to you. However, if you work online, use email, or store client/customer information (digitally or not), you could be at risk.
Any type of sensitive information can be seen as valuable to hackers.
So what are you to do?
- Identify the data you have and where you store it
- Classify this information and assess whether it is subject to regulatory requirements (i.e. is it personally identifiable information?)
- Determine the level of protection required for the data you do have
- Assess current control levels and address any gaps to protect said information
- Develop a response plan should it ever become compromised.
How are you supposed to do all this? Performing a Privacy Impact Assessment can help you understand what personal information your organization has, why it’s being collected, and how it is being processed and stored. Conducting a Privacy Impact Assessment helps minimize any privacy risks or gaps that may exist in your day-to-day operations.
Additionally, performing an Information Security Gap Analysis concurrently can provide a comparison of your current security program or controls against industry best security practices. A Security Gap Analysis can:
- Identify threats and vulnerabilities to your organization
- Identify any control gaps that exist with your current controls framework
- Define a risk-based approach for allocating funds and resources where necessary
- Demonstrate to stakeholders that you’ve taken all reasonable efforts to safeguard personal information under your control.