The term data security broadly refers to defensive measures put into effect to prevent unauthorized admission into computers, databases, websites, and any other places data may be stored. Data security is typically applied to systems which protect personally identifiable information (PII). Examples of more sensitive PII include social security numbers, driver’s license numbers, full names, passport numbers, and bank account numbers. Each day, cybercriminals are attempting to attack organizations of all sizes, and PII is often the primary target. A “successful” attack by a cybercriminal could potentially cripple an organization, and in the worst cases, the organization never makes a full recovery.
There are numerous relatively simple yet effective, practices any organization can implement to secure their sensitive data and significantly reduce the risk of a breach.
The following list includes only a few of these practices:
- Establish a data security policy – A clear, written policy which all employees must follow is the best practice. The policy should contain enough detail to provide guidance in situations employees will encounter. The policy should also be easily accessible to employees and reviewed by employees on at least an annual basis.
- Provide a yearly mandatory security awareness training – In today’s ever-changing, online landscape, cybercriminals are continuously developing new plans of attack. Understanding the methods used by cybercriminals in their attacks is key to prevention.
- Restrict physical access – One easy way to restrict physical access is by requiring a unique password to log onto a computer and for all applications. There are several password management programs which generate incredibly complex passwords which are nearly impossible to crack. Going along with this practice, any hard copies of documents containing PII should be locked up when not in use.
- Implement multi-factor authentication – Multi-factor authentication adds at least one additional layer to access a computer, application, or system. A common example of multi-factor authentication (two-factor authentication) is withdrawing money from an ATM. In order to make a withdrawal, an individual need to have both a bank card and a PIN.
- Monitor network activity – Monitoring adherence with your organization’s data security policy is also vital, as the policy is only useful as long as it is strictly followed. It is essential to realize that monitoring should be a continuous process rather than done at set points in time. If corrective action is required, that should occur immediately.
While it may remain impossible to eliminate the risk of a data breach entirely, there are likely additional steps your organization can take to mitigate the risk significantly. However, due to budget constraints and other limiting factors many nonprofit organizations face, the optimum security environment may never quite be fully achievable. It remains essential to weigh the costs of additional security with the added benefits and make decisions accordingly. The AICPA has a Cybersecurity Resource Center available which provides useful insights and tools related to this topic.
At TDT, we realize data security may be an intimidating area. Please look for future articles on data security-related topics, and feel free to reach out with any questions. The best time to implement additional data security measures is now.
Chad McCarty, CPA, and Senior Assurance Associate at TDT CPAs and Advisors discusses data security practices. With three years of experience, Chad specializes in audits of nonprofits, small businesses, and employee benefit plans. Chad is a member of the American Institute of Certified Public Accountants and the Iowa Society of CPAs and serves clients across all nine TDT office locations.