Data is critical to every business. Businesses have multiple subsets of data such as; sales, client, employee, vendor, and various company data. In today’s world companies must use a combination of permissions, security, and policy to protect company data.
Companies should take a holistic view of the data folder structure and determine what employees truly need access to. Creating a single large data share is often the easiest route but leads to problems in the future as the company grows and more defined roles are determined. For small firms, e recommend by starting with a simple structure using four or five basic folders such as Marketing, Clients, HR, and Vendors (or a variation of this based on your industry) Create users for each employee and grant them rights to only the folders they need to perform their job. We also recommend using strict permissions for any sensitive data including client personal data, credit card information, company intellectual property, financial, or any other data the firm deems sensitive. This data should also be protected at the file level with either with passwords or access control. When protecting data you must also consider protection if the data leaves the company. How protected is your data if a company device is stolen or an ex-employee acquires data? There should be technologies in place to remotely wipe all company devices. Sharing of data should be monitored and restricted.
Now that we have shared the data with the correct users in the organization we need to protect it from both internal and external threats. Data should be located on a network or machine that has anti-virus, Advanced threat-protection, and a firewall to restrict access from outside the network. Data should also be encrypted in place and in transit including backups. Servers containing data should have external access restricted and monitored. Servers should also be in a locked cabinet or server closet so physical access is limited.
Policy is often forgotten when it comes to data security. Policy is the largest risk to companies because it encompasses human risk. What policies have you put into place when onboarding new employees? Simply having employees sign a 10-page document without reading it does not provide you with any more security. Employees should be provided training with what data is to be shared and with whom. Also, policies regarding workflows as it pertains to financial transactions, client information distribution, and disaster planning should be discussed with each employee. Technologies can be put into place for varying levels of data security but they can all be worthless with a careless employee action. We recommend the proper training and ongoing testing of each employee with access to company data.