No matter the size of your business, if you store your customers’ information on servers, in the cloud, or even on a spreadsheet, protecting that information is key to your business. How you keep that data safe affects your business and your reputation.
Here are 5 ways to help you keep customers’ information safe
1. Rethink your data
Client data can help you plan better for your business and connect more easily with your customers, but you might be asking for or storing more data than you need.
For example, do you need to store your customers’ payment information, or would it make sense to partner with a payment provider that stores it, Moneris?
Doing a data audit to make sure that you are collecting the right data, backing it up properly, using it appropriately, and securing it is something you should do and revisit every year. Here are the steps to take in your data audit:
- Determine the data you need for your business.
- Inventory the data you have.
- Identify any legal or regulatory requirements you need to follow in the classification and protection of the data.
- Classify the data into categories of importance and of risk. For example, customer personal information and credit card data are riskier to keep than a list of products you sell.
- Develop security measures to protect this information as required by its classification levels.
- Deploy these protections.
- Test the protections.
- Periodically repeat these steps. At a minimum, you should do this annually but if the nature of your activity or data changes — or if the legal or regulatory requirements change — you should do it more frequently
If you store sensitive data or if data is critical to the operation of your business, you might even want to look into a cyber liability insurance policy to protect your business against losses or claims in the event of a data breach.
2. Defend your security through education
If you have a great system but haven’t taught your employees about phishing attacks, for example, your security strategy could be compromised with one click. Educate your employees on a regular basis about the company’s expectations, potential threats, and protocols for accessing data. You might also want to make certain types of data only accessible to certain people at your company in order to create additional layers of security.
3. Back up your data
Most businesses rely on data to operate. So it’s important to have some form of information backup system, but also important to review it routinely to make sure that your system meets your needs. Some questions to help you evaluate your back up systems and procedures include:
- How often is your data backed up? Depending on your business, you might want to do that daily or hourly. You should also test your backups regularly to ensure they actually work and have the data you need if you need them. Also, make sure you know how to restore the data in an emergency.
- Where is your data being stored? In Canada, or elsewhere? If your data is being stored outside Canada and you are worried it is interfering with your clients’ privacy, make a plan to shift your data storage or the parts that concern you to a Canadian host. You can also get in contact with your current data service provider and ask them about their security.
- Does your backup provider have servers in other countries? Even if you have a Canadian company hosting your data, they might have servers in other countries. Make sure to ask them to make sure your data is being stored appropriately.
- Do you have an offline backup to restore data in case of a data breach or a ransomware attack? Creating an offline data backup is simpler than you think — you need to either do it with your own server or get a backup service provider that routinely backs up data to store offline.
- If all your backups are in the same location or same geographic area, what’s your plan in the event of a fire or a natural disaster? You should distribute the location of your backup providers and have redundancies so that if something happens you’ll be protected.
If you find that your data isn’t being backed up often enough or that you don’t have offline backups to restore your system in case your data is compromised or ransomed. Focusing on implementing a strategy that thinks through all the contingencies is critical to protecting your business. You should also create a Disaster Recovery Plan, or a way to quickly redirect your company’s resources to restore your data after a disaster or hacking event, and a Business Continuity Plan, which is a plan to continue your business in the event or a disruption that changes how you can do business, such as what happened with COVID-19.
4. Create (or review) your security strategy
If you don’t have a security strategy, working with an information security company to come up with a plan can help you keep customers safe. If you already do, you will want to review it regularly to stay on top of emerging cyber threats, encryption strategies, and software and security protocols.
Depending on what industry you’re in, the data you have on your clients or customers might fall under privacy laws or industry regulations and might require extra protection or have additional liabilities or disclosures involved if it is breached. For example, if your business handles health data, you are subject to the Personal Information Protection and Electronic Document Act (PIPEDA), Canada’s federal law governing patient privacy. There are also provincial rules government health data and, in some provinces, like British Columbia and Nova Scotia, all health data must be stored exclusively on Canadian servers.
A cyber security company can help you figure out what the rules and industry standards are for your field and create a plan for how to backup, encrypt, store, secure, and manage data in a way that is cost-effective and protects your business and your clients’ information and privacy.
5. Review your plan
Security plans for your business shouldn’t be “set it and forget it.” Once you’ve created a cyber security plan, work with professionals to review it quarterly or annually, depending on your risk level and the sensitivity of your data. That way you can update your security to respond to potential threats. The last thing you want is your data to be compromised and have to notify your clients of the breach. Reviewing your security plan — and updating it where needed — can give you peace of mind and keep your clients’ information safe.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.