Ask the Expert

Small companies can protect customer data just as well as the big guys. All they have to do is follow these privacy and data security practices from Brian McGinley, CyberScout’s senior vice president of data risk management.

Thursday, April 07, 2011
Q: I’m a small business owner. How can I protect sensitive or customer data without breaking the bank? I don’t have the same resources as a large corporation, but I want to follow the highest security standards.

A: You don’t have to be a Fortune 500 company to follow an approach to data security called Privacy by Design (PbD).

Simply put, PbD is an intelligent and logical way to assess your operation and build a program around the fundamentals of privacy and data security. It doesn’t have to be complicated. It starts by taking a hard look at the data life cycle in your company—how that data is:

  • Received
  • Used
  • Stored
  • Retrieved
  • Disposed
The key is to overlay each process with the best possible privacy and security practices. Privacy must be built in or designed into your company’s data stream. At each step of the data life cycle, you need to ask, “How can I best protect this data?” Do you use SSL when a customer signs into your website to transmit data? Does it enter your system encrypted? Do you keep it encrypted in storage?

Most businesses don’t take advantage of available tools that would help them protect data. For example, Microsoft Office Suite offers file encryption. There are built-in options in Microsoft and Apple’s operating systems. Excellent third-party encryption software such as PGP is also out there.

Whatever platform you use, be deliberate when dealing with data. PbD is a mind-set beyond the nuts-and-bolts lockdown of your data stream. It doesn’t matter how big or small your business is. If you handle sensitive or customer data, you need to be aware of all the risks and their corresponding security options. You need to make sure that the folks who work with you also understand the risks and are deliberate in their approach. As a company leader, you have to model strong privacy-focused behavior.

My experience is that most business leaders want to do the right thing. But unless they’re shown what the right thing is, and unless they see it clearly, they just don’t know better. You can never assume they’ve bought into a security-focused, privacy-focused mind-set unless you tell them about it and reinforce it. Privacy by Design is no different, whether you’re a Fortune 500 company or a fresh startup.

Brian McGinley, CyberScout’s senior vice president of data risk management, has nearly 30 years of experience in risk management, security, loss management and compliance within financial institutions.

© CyberScout, LLC. All Rights Reserved.
If you need identity theft assistance, call your provider organization to be put in touch with the CyberScout Resolution Center. More information for individual consumers.