No matter how businesses use their customer data, they are responsible for protecting it under the Privacy Act 1988 (Privacy Act). Furthermore, if an Australian business has European customers, they are also required to protect PII under the general data protection regulation (GDPR).
M-Files director of security and compliance Saara Hasu-Varttila said, “Businesses of all sizes have adopted data loss prevention (DLP) best practices and strategies to minimise risk. However, those with a DLP strategy should understand that it isn’t a surefire way to stop data loss. Instead, organisations should consider implementing a document management solution that classifies and separates customer data from business-critical data so it can be appropriately managed to maximise protection.”
As data breaches involving PII and private data gain momentum, businesses must consider implementing the following five best practices:
1. Discover and classify PII
Data discovery and classification are often-overlooked components of an organisation’s DLP strategy. As the name suggests, data discovery tools scan applications, networks, and endpoints for PII, which is then classified into sub-groups by tagging the data. This approach makes it easier to track data and ensures businesses have complete visibility into PII across their entire environment.
2. Only collect and store what’s necessary
Another way to protect PII is to limit as much customer information as possible and only collect what’s necessary. Companies must also take reasonable steps to destroy or de-identify the data they hold once it’s no longer needed for its primary purpose, for example, outdated employee records, lapsed customer records, and PII found on unused devices.
3. Enforce a least-privilege policy
The principle of least privilege (POLP) enhances the security of an application, network, or technology environment. Implementing the least-privilege model limits users’ access rights and provides only enough access to perform the required task. With defined access permissions, there is less risk of an attack or user error.
4. Avoid data silos
Data silos may seem harmless, but they’re essentially magnets for cybercriminals and can lead to significant data vulnerabilities. When data is stored in different places, businesses can lose track of where their data is and may not even realise they’ve had a data breach. By eliminating data silos, organisations can use data more effectively and better comply with data privacy regulations.
5. Leverage real-time monitoring
Real-time monitoring is more than just a routine exercise. With a smart document management platform, companies can take advantage of automated background services that increase data security by constantly checking for new files and information. It can also flag suspicious activities across the entire environment that are potentially insider threats.
Data breaches are reaching an all-time high and affecting businesses of all sizes. Recent high-profile data breaches on leading insurance and telecommunications providers are prime examples of just how exposed customer information is and the damaging effects that occur when it falls into the wrong hands.
Saara Hasu-Varttila said, “It’s imperative for organisations to review current personal information handling practices and ensure they have a robust data breach response plan. And, while not all businesses are required to comply with Australian or European privacy laws, they must appropriately collect, handle, and store the PII and private data they hold to cultivate customer trust and minimise the risk against external threats. With the right document management solution, organisations can proactively discover and classify PII, gaining insight into the data they hold and the steps they need to take to manage and protect it effectively.”