Data Security and The Small Business Part 3

Now that you have determined where all that personal data is in the myriad of file shares and databases that you use, what do you do next? You will remember that, way back in the first part, I stated that it is all about policies and procedures (and it is). So, where do you start?

1. Make your life easier and remove any personal data that you cannot justify keeping. Remember that the personal data can be in Office 365, your accounts program, your website or your mailing list program. Then write up a policy that states that you will check the personal data that you might have stored for its continued relevance a regular intervals and provide a documented means to remove any such data either on request or after it is no longer required.
2. Even when you have deleted any unneeded personal data, it will likely still exist in backups of your data so ensure that those backups are both protected by password and encrypted. If your backup solution does not support encryption then, alternatively, store the backup on encrypted media. Even modest network attached storage (NAS) units from manufacturers like Synology and QNAP support “at rest” encryption. Then write up a policy that all personal data is to be stored on encrypted disks.
3. Talking of encryption, don’t forget the device that you use to access or otherwise process that personal data. These days, software suppliers proclaim the advantages of accessing all your customer data from anywhere and using anything that can connect to any sort of insecure wireless connection. So, if that is your thing then consider encrypting the storage on your phone or tablet (most modern phones and tablets can do this but it is unlikely to be enabled by default). Then write a policy that all mobile devices and laptops must use encryption on all their storage.
4. Don’t forget the USB sticks and drives. Use USB sticks and drives that support hardware encryption – they cost notably more than the normal type – or use software encryption such as Bitlocker if you use Windows or just use Finder is you have a Mac. Remember to write a policy that states only encrypted USB sticks and drives can be used to store business data.
5. If you allow users to login to your website – even if you use third party authentication like Facebook – then ensure that you have applied an SSL certificate (from any reputable supplier like and that you only use HTTPS from when they login until they logout. Bear in mind that cheaper web hosting packages may not support the use of certificates. You know the drill by now – write up a policy that states that encryption will be used on all authenticated traffic to your website.
6. Don’t forget passwords. Write a policy – and enforce it, of course, to use passwords with a minimum length and complexity even on your mobile phone if there is no secure alternative such as a fingerprint scanner. These are turning up on ever more modest kit these days. Remember that encryption protects the data but will not prevent access to the data if the evildoer can guess your password. You might also like to consider the use of multi factor authentication but that may not be practical.

That’s all for now.