Top 20 Tips to Help You Prevent Data Theft
Keep your company’s sensitive data safe from thieves, your reputation intact, and your money in the bank.
If you have an extra $4.35 million to spare, you don’t need to worry about preventing data theft. That’s the average cost of a data breach in 2022, according to IBM’s latest Cost of Data Breach Report. It’s the highest number ever, with an increase of over 12 per cent in the last two years alone.
If, on the other hand, you’d like your company to keep its hard-earned cash, you’ll need to implement policies and procedures to prevent data theft, a particularly damaging type of employee fraud.
Because, as the saying goes, there are two kinds of companies: those who’ve suffered a data breach and those who don’t know it yet. In fact, 83 per cent of companies have had more than one data breach, according to the report. But many companies simply don’t know how to prevent data theft.
So, how is data theft prevented? How do you safeguard data in the workplace? In this guide, we provide 20 actionable tips you can implement to keep your company’s data safe.
Table of Contents
- Get Rid of Paper
- Prioritize Data
- Restrict Access
- Enforce Controls
- Use Strong Passwords
- Install a Firewall
- Secure Your Network
- Use Encryption
- Use a Proxy
- Activate 2FA
- Restrict Movement of Information
- Take Extra Steps for Sensitive Data
- Use Software
- Strengthen Employee Passwords
1. Get Rid of Paper
If you have to keep paper files, shred them as soon as they are no longer needed. Keeping them around increases the risk that bad actors will see them.
According to John Rowan of Advantage Business Equipment, there are nine things businesses should shred:
- Any mail with a name and address printed on it
- Luggage tags
- Trip itineraries
- Extra boarding passes
- Credit offers
- Price lists
- Vendor payment stubs and paid invoices
- Cancelled checks
All of these papers include personal and company information that fraudsters could use to steal the identity of an employee, where they could then make fraudulent use of their company or personal credit cards or bank accounts.
2. Prioritize Data
Next, you’ll need to assess your data protection protocols and prioritize them.
“Have an audit or assessment on your data,” says Greg Kelley, EnCE, DFCP, of Vestige Digital Investigations. “Hire an outside expert to assess what data you have, how you are protecting it (not how you think you are protecting it), and where that data is going. While you may think it is an unnecessary cost, if you report to clients and potential clients that you have had an outside data assessment, you may find it puts you at an advantage over your competitors.”
The data that your organization considers high-priority for protection might not be the same as a company in a different industry, or even a competitor. “Every company is different,” Kelley explains. “They have different regulations, different types of data, different needs for that data, and a different company culture.”
3. Restrict Access
One of the easiest ways to keep information secure is to restrict access to your most sensitive data.
“Not everyone in the company needs access to everything,” Kelley explains. “Does the project manager need pricing information? Does the sales person need operations information? By restricting what data each person has access to, you limit your exposure when an employee decides what they want to steal or when the employee’s account is compromised by an outsider.”
Not only does restricting access protect your data from fraud and theft, but it also ensures privacy of personal information that could lead to discrimination, harassment, or corruption if it fell into the wrong hands.
4. Enforce Controls
Next, enforce your company’s data privacy controls both internally (with employees) and externally (with vendors, contractors, and clients).
Hold third parties your company engages to the same strict data privacy controls you implement in your own organization. Audit them periodically to ensure compliance with your security standards. IBM’s report found that 19 per cent of breaches occur because of a partner’s compromise, so these steps can’t be missed.
If a vendor that processes your data experiences a breach, your customers and clients are affected, even if your company did everything right. This reflects poorly on you and could even lead to lawsuits or non-compliance fines.
5. Use Strong Passwords
Make it difficult for outsiders to access your company’s and employees’ devices and computers if they are lost or stolen by protecting them with strong passwords.
Password managers like 1Password or LogMeOnce help keep long passwords organized without writing them on paper and offer other ways for employees to authenticate before logging into sensitive accounts or profiles.
In addition, enable remote wipe on all company-owned devices. That way, if you know a device is lost or stolen, you reduce the risk that the person who finds/steals it can access your data.
6. Install a Firewall
Even small companies with few employees have valuable data that needs to be protected. Ensure you have a firewall in place to keep outsiders from accessing your company network.
If a large portion (or all) of your staff works remotely, firewalls are especially important. You never know what network or device they’re using to access your company’s files, so a VPN and/or device-based firewalls are essential for securing your data.
7. Secure Your Network
Don’t let neighbors or passers-by hop onto your company’s wireless network, or even see that it exists. You’re just inviting trouble.
Use a strong password and use encryption and security to hide your network from outsiders. The fewer people who can access the network, the lower your risk of data theft and viruses.
8. Use Encryption
Ensure all sensitive information that is being transferred or emailed is encrypted. Encryption should also be installed on all company laptops, mobile devices, and removable media.
If you’re ever unsure as to whether something should be encrypted, err on the side of caution. It’s better to slightly inconvenience someone by adding a few seconds to the process of opening a file than it is to deal with the fallout of a data breach.
9. Use a Proxy
“That free internet at the airport or the cafe is actually shared with dozens or hundreds or other users who might be sniffing your traffic,” says Roberto Arias Alegria, IT Security Consultant at Metaluxo IT Security.
“Since encrypted connections (SSL) are far from universal, an easy-to-use proxy service can save you from prying eyes (e.g. Zenmate, or TunnelBear).”
This security step is especially important for employees who are:
- Working from public WiFi networks
- Traveling for work
- Sharing a network with multiple people (i.e. spouse and children)
10. Activate 2FA
2FA stands for two-factor authentication, also known as MFA (multi-factor authentication). This feature adds a step to the login process when employees attempt to access a company profile, account, or files. 2FA usually involves entering a time-sensitive passcode that the employee receives via email or text, or finds in an authenticator app.
“No matter how secure is your password, there’s more than one way to get it. Consider using 2FA whenever you can. Google, Yahoo, Twitter, and many popular services already have support for 2FA,” says Arias.
11. Restrict Movement of Information
“Do not permit the transfer of personal information (names, Social Security numbers, Medicare numbers, employee or medical data, etc.) to a portable medium, like a laptop or mobile device. This data should be processed in-house, not on an airplane or a commuter train or at home,” says Robert Ellis Smith, Publisher, Privacy Journal.
While it’s important to be careful how and over what network you transfer any of your organization’s data, take special care with personally identifiable information (PII) that could compromise the privacy of your employees, clients, or customers.
12. Take Extra Steps for Sensitive Data
While not being careless with PII is helpful, you also need to proactively take extra measures to prevent data theft when dealing with these sensitive pieces of information.
“Truncate Social Security numbers, or remove them from the data base and store them elsewhere apart from the original data file, with a means to link the two later if necessary. Regularly remove sensitive personal data from online databases or ‘the cloud’ and process it off-line,” says Smith.
The harder it is for thieves to find and access sensitive data, the better.
13. Use Software
Regardless of your company’s size or industry, you should be using anti-virus software and anti-spyware. These helpful tools identify and eliminate threats you probably would never have found on your own.
Update all software on your company’s network whenever updates become available. This includes security software, browsers, and operating systems. Don’t use free security software as sometimes these contain “scareware” that can fool employees into compromising your network.
14. Strengthen Employee Passwords
“More than 70 per cent of breaches are due to weak passwords or poor password management,” says Darren Guccione, CEO and co-founder of Keeper Security, Inc.
Make sure your employees use passwords that are at least eight characters in length and utilize a combination of uppercase and lowercase letters, numerals, and symbols. Even better, encourage them to use “passphrases,” which are entire phrases or sentences, making them harder to guess (for example, “iLOVE2eatPi3”).
Consider building good password hygiene into your acceptable use or other online-related policy. Or, have your IT department help employees set up password managers like the ones listed in tip number five.
15. Have a Clean Desk Policy
Implement and enforce a policy prohibiting employees from keeping working papers, passwords, or any sensitive documents in view while they are away from their desks. Also require them to password-lock their computer every time they step away.
Each workstation should also have a lockable drawer for employees to secure their sensitive information and devices like laptops, tablets, or cell phones.
16. Guard Against Social Engineering
One of the most common ways bad actors gain access to data is by tricking your employees. They might send an email that looks like it’s from your HR department that contains a suspicious link. Or, they could create a copy of a webpage your employees access often (such as a file sharing login page) with a slightly different URL, where they then grab account information.
Teach employees to recognize and report attempts by outsiders to gain information. Train them on the various techniques used by fraudsters, such as “phishing” and “smishing.” Finally, emphasize that they should never open attachments or download anything from an unknown source.
17. Beware of Personal Devices
“Make sure that you have policies and technology to address the risk of people bringing personal devices to work,” says Joseph Steinberg, CEO of SecureMySocial.
“All access to the Internet from such devices (or from devices brought by visitors to your office) should be done via a separate network than is used for company computers. Many routers come equipped with such a capability. Personal devices can be infected with malware that can steal data if the devices are connected to corporate networks.”
Even if your employees or visitors don’t intentionally poison your company’s network, they could accidentally infect it with a virus or malware. To be safe, conduct business on one network and have a separate network for personal use.
18. Implement Social Media Policies
“Create, and enforce with technology, appropriate social media policies. Don’t pretend that policies alone will ensure that employees don’t make inappropriate social media posts—you need technology to help with this task as people make mistakes—and they can be costly to your business,” says Steinberg. “Many breaches start with criminals crafting spear phishing emails based on overshared information on social media.”
In your policy, require employees to follow posting guidelines and/or privacy settings. For starters, they should never share company data online and should limit posting information that a cybercriminal could use in a phishing attempt, such as details about business travel or projects.
19. Prepare for Mistakes
“Employees are humans, and humans make mistakes,” says Quinn Kuzmich, adjunct professor of software security and computer forensics at Colorado Technical University, founding partner at NagaSec Information Security, and a Senior IT Security Analyst for Skillsoft.
“Mistakes leave your system vulnerable. And when it comes to data security, these mistakes happen all the time. Data gets saved in the wrong folders, which weren’t configured in the right way–this means the wrong people have access to the data. If you forget this important rule, the wrong people will remind you.”
20. Treat Employees Right
A disgruntled employee can be the most dangerous vulnerability in your company’s data protection program. When employees feel mistreated, they might steal data to get revenge on your company. Or, if they feel they’re underpaid, they could commit this type of fraud to get what they feel they deserve.
Treat your employees with respect and kindness, and promote an overall ethical and transparent culture. It might just save you from a data breach that costs thousands of dollars and months of clean-up time.
How Case IQ Can Help
If you’re still simply reacting to employee misconduct, you’re putting your organization, your other employees, and your reputation at risk.
With Case IQ’s powerful case management software you can increase oversight, track and manage investigations, and report on results for better risk management and prevention.
Case IQ’s award-winning reporting tool highlights trends and hot spots in investigation data, helping you identify your areas of risk. Use this insight to focus preventive measures and improve your program.
Learn more about how Case IQ can improve your organization’s investigations here.