1. Identify WHAT sensitive data you have within your company.
Take the time to identify and catalogue sensitive data within your company. Once you have a list of the types of sensitive data and where it is stored, processed, and transmitted within the company, you can determine the threats to that data and make sure you have the controls and protections in place to help secure it.
2. Determine HOW susceptible your sensitive data is to compromise.
A penetration test can help you determine the technical vulnerability of your IT environment (and sensitive data) to compromise. This type of test helps to validate the security measures that a company may already have in place and to identify the remaining holes that could lead to data compromise.
3. Ensure company personnel understands their responsibility to protect sensitive information.
Many compromises occur because a well-meaning employee sends sensitive data via unencrypted e-mail or clicks on a link in a phishing scam. Take a few minutes this month to send a company-wide e-mail to remind employees to be vigilant when receiving unexpected messages and inquiries. Employees must be aware of the company’s policies regarding the handling of sensitive data when their job duties require them to store, process, or transmit such information. Learn more about how you can defend against social engineering.
Also, be sure that your company’s internal training includes a module on protecting sensitive data and complying with security policies. Once training has occurred, companies should periodically evaluate the effectiveness of the training by performing “social engineering tests” to assess the awareness and vigilance of personnel, and adjust training programs based on the results of the tests.
4. Address the areas that present the highest risk to the company first.
Most organizations have a limited amount of money and people resources to dedicate to information security and data protection. Before you spend a dollar of your organization’s money on security tools or products, make sure it is going to address the areas that present the highest risk to the company. That approach ensures that all money spent on security is justifiable and appropriate.