Most organizations have a limited amount of money and people resources to dedicate to information security and data protection. Before you spend a dollar of your organization’s money on security tools or products, make sure it is going to address the areas that present the highest risk to the company. That approach ensures that all security spend is justifiable and appropriate.

The following tips for companies to reduce the risk of data theft and keep IT systems and sensitive information protected from compromise:

    1. First, companies should determine WHAT sensitive data they have. To do this, take the time to identify and catalogue sensitive data within your organization. Once you have a list of the types of sensitive data and where it is stored, processed, and transmitted within the company, you can determine the threats to that data and make sure you have the controls and protections in place to help secure it.
    2. Once organizations have identified what data to protect, they need to determine HOW susceptible it is to compromise. A penetration test can help you determine the technical vulnerability of your IT environment (and sensitive data) to compromise. This type of test helps to validate the security measures that a company may already have in place and to identify the remaining holes that could lead to data compromise.
    3. Make sure that company personnel understand their responsibility to protect sensitive information. Many compromises occur because a well-meaning employee sends sensitive data via unencrypted e-mail or clicks on a link in a phishing scam.Take a few minutes this month to send a companywide e-mail to remind employees to be vigilant when receiving unexpected messages and inquiries and to be aware of the company’s policies regarding the handling of sensitive data when their job duties require them to store, process, or transmit such information. Also, be sure that your company’s internal training includes a module on protecting sensitive data and complying with security policies. Once training has occurred, companies should periodically evaluate the effectiveness of the training by performing “social engineering tests” to assess the awareness and vigilance of personnel, and adjust training programs based on the results of the tests.

The LBMC Information Security team can help you assess your risks and ensure that your security efforts produce the greatest benefit and have the most effective impact.