Don’t Make these Common Data Protection Mistakes

There are four mistakes almost every business makes when setting up their data protection. Read on so you can avoid these common pitfalls:

  1. Not knowing what to keep, or how long to keep it for
  2. Relying on a person (instead of automation) to manage data backups
  3. Granting employees more systems rights than they need to do their jobs
  4. Leaving open virtual “backdoors” when employees leave

Let’s look at each of these individually.

Mistake #1: Not knowing what data to keep, or how long to keep it for

This is a highly complex topic – with changing regulatory and legislative requirements that vary widely. That said, there are some common rules of thumb which I’ve outlined below. As a business owner you are expected to know and abide by the applicable data protection and retention requirements that affect your business.  Consult with a knowledgeable business attorney if you’re uncertain about what applies to you.

  • IRS guidance for the retention of tax and accounting records varies greatly, between 2 and 7 years. Your exact requirements will vary depending on your situation and the period of limitations for a given return. To read the guidance, click here.
  • Employee and Human Resource (HR) data also has a strict set of requirements. Hiring records must be kept for 1 year after the decision to make an offer.
  • Payroll and time card data must be kept for a minimum of 3 years by law.  It is recommended that they be kept for the employee’s full tenure as well as a 5 year period after the employee leaves. Health and pension benefits information must be kept for a minimum of 6 years.
  • In the US, there is no federal law governing corporate records. This includes documents such as articles of incorporation, board meeting minutes, and corporate resolutions.  However, these documents are very useful to have if you ever plan to take on investors, sell, or merge your business.

Mistake #2: Relying on a person (and not automation) to manage data backups

Too often I see businesses try to cut corners with their data backup and protection.  Many try to do it themselves, without any software or automation. Most commonly, it looks like this…

A well-meaning accountant decides the company needs to regularly backup key financial data.  She understands the importance of keeping accurate and accessible records.  She buys an external thumb drive and starts manually copying data every week.  She even buys a second drive and alternates them, keeping the previous week’s drive at her home in case of an emergency.

This might work OK for a little while if the business is very small and simple.  But, it all goes awry when any one of the following three things happen:

  1. The accountant gets sick, goes on vacation, or otherwise gets busy and forgets for a few days or weeks. This is very common.
  2. The thumb drive – which is cheap and fragile – gets lost, damaged or corrupted in transit to/from the accountant’s home.
  3. Or worse yet, the thumb drive is stored in the office and suffers from the same fire/flood/theft/disaster that it was meant to guard against.

The only foolproof way to protect business data, while not breaking the bank, is to use purpose-built data backup software.  Configure it to backup daily, if not multiple times per day, and keep at least one copy of data offsite. Ideally, in the cloud where it is accessible from anywhere.

The best part about using software? It automatically takes care of scheduling, alerts when backups complete or have errors, and saves space by copying only files that have changed since the last backup.  No more relying on accountants to do moonlight IT work!

Mistake #3: Granting employees more access than they need to do their jobs

This is actually the #1 mistake I’ve seen almost every single company make – from tiny 2 person partnerships to massive Fortune 500 conglomerates.  Across the board, employers fail to implement the security concept of “least privilege”.

The main idea is this: Assign users only the minimum level of systems access necessary for them to do their daily jobs, nothing more.  This is important regardless of whether the user is the company CEO or a part-time intern.

This protects you in two ways:

  1. It reduces the likelihood of theft and fraud (both crimes of opportunity).  By ensuring that workers do not have excess permissions, you can minimize the risk that they will be tempted to view, copy, or modify sensitive data that is beyond their job scope.  For example, you wouldn’t want your front desk clerk to have access to his boss’s compensation data.
  2. If a user’s password is lost/stolen, the potential damage a bad guy could do is less if the account does not have wide-reaching rights or admin privileges.

You may be thinking that this is great in theory, but how do you handle users whose day job is actually to BE the “Super Admin”?

The solution is simple – give them two accounts. One “normal” account for everyday tasks, and a separate “admin” account to be used when elevated privileges are needed.  This creates a clear audit trail, and ensures that high risk activities like adding new users or purging data have an added layer of control.

Mistake #4: Leaving open virtual “backdoors” when employees leave

High employee turnover or extensive use of freelancers or contract staff can be a common source of data leakage. Unless you establish clear exit procedures that include the revoking of ALL user accounts, you may be letting data walk out the door. Remember to disable their email, chat, and conferencing accounts, as well as any software subscriptions like Dropbox or Sharepoint.

Similarly, you must also ensure that all company computers and devices are returned.  If personal devices were used, ensure all company data was either returned or wiped and destroyed. It’s not uncommon for an employer to require their employees to attest to data destruction as part of the exit process.

This step to reclaim data and lock down future access is very important because it prevents two types of potential data loss:

  1. Data theft / misuse – where the former worker uses confidential information for personal gain or shares it with their new employer.
  2. Access by unauthorized individuals – where bad guys steal the usernames and passwords of former employees and break into systems using these unmonitored accounts.

In today’s complex technology environment, data protection can be a legal, operational, and logistical nightmare – but it doesn’t have to be. Keep these mistakes top of mind and you will sleep easier tonight.

Want help keeping your business systems safe and secure? Contact our data protection experts for a free, no obligation consultation to get you started on the right track.

Photo by Andrea Piacquadio from Pexels

Click to Download Ultimate Ransomware Battle Guide