Is Your Data Toxic?

Data Can Be PowerfulData is one of the transformational characteristics of the internet age.  Compared to just 10 years ago (let alone to 20+ years ago!), data is cheap and easy to gather.  It is the lifeblood of many businesses, from the largest technology companies to the smallest service firms.  Here are a few examples of how companies are using data to transform their services:

  • Retail businesses capture data about their sales to determine which products to stock and in what quantities, where to place them in the store, and how to price them. Leading companies are able to do this continually and can even automate their ordering based on their actual sales volume.
  • Doctors and medical researchers use data, including information about medicines, treatments, and the patient’s own DNA to provide personalized treatments to their patients.
  • Insurance companies offer their customers discounts for putting motion trackers in their vehicles.  These trackers collect data about speed, distance, and acceleration to help the insurance company more accurately predict the likelihood that you will get into a crash, so they can give you a more customized price for your auto insurance.
  • Local governments frequently use license plate readers to identify the vehicles passing through an intersection or under a bridge.  This data can help local policy respond more effectively to AMBER Alerts or help authorities customize the timing of red and green lights to optimize traffic flow.
  • And so many more!

If data is so great, what is the downside?

Although data can be incredibly powerful, it can also be dangerous.  Some of the data you collect may be sensitive — credit cards, health records, financial transactions, trade secrets, etc.  Businesses have a responsibility to protect that data, both for the good of the business and to protect their customers and business partners.

ClutterHaving too much data can also create real inefficiencies in your business.  For example, you may have so many documents that you are unable to find the right one.  You also have to pay to store and backup all of your data, whether the data is useful or not.

If your company is the victim of a security breach, any data that you possess could be made public or used by your competitors or rivals.  This could be very costly for your business — you could face legal, regulatory, financial, and reputational consequences.  The more data you have, the greater the consequences you could face resulting form a breach.

Trash CanWhat can businesses do to minimize the risk?

There are numerous controls that we can put in place to protect our sensitive data, including encryption, two-factor authentication, role-based access control, and more.  However, there is another control that many businesses forget about — just delete it.

This is not to suggest that you just start deleting data without further thought — you need a plan.  Many leading companies have data retention and destruction plans to help protect them.  You can create a data retention plan for your business.  Here’s how:

  1. Make an inventory of the types of data you have.  Examples include engineering designs, product plans, employee records, and accounting data.
  2. Determine what business purpose the data serves (e.g., to forecast sales, to pay employees, to meet a regulatory requirement, etc.).  Data that serves little or no business purpose is a candidate for deletion.
  3. Estimate how long the data will still be valuable (e.g., historical sales data may lose most of its value after several years, the law may require that you keep accounting data for a specific period of time, etc.).  Data that is no longer valuable (and is not required for legal or regulatory purposes) is a candidate for deletion.
  4. Review the list of data you think you can delete with your financial and legal advisors.
  5. Draft a data retention policy.  This is a simple document that describes the types of data your business maintains, how long it must maintain the data, and the frequency of deletion.
  6. Pick a method for deleting unnecessary data that supports your data retention policy.  For example, you could do it manually once every quarter, or you could acquire a tool that will automatically delete aged data on a recurring schedule.

By eliminating data that your business no longer needs, you can realize several benefits:  reduced storage costs, increased employee efficiency, and reduced impact from a data breach.  Three wins from a single change is pretty good!

Cyber Risks Can Affect Small Businesses, Too

The online world has become a much more dangerous place over the past decade. We see new stories about cyber attacks and cyber breaches in the news every week. There was a time where it seemed like cyber attacks were primarily targeted at governments with classified data or large businesses with plenty of resources to steal.

RiskUnfortunately for small business owners, that is no longer the case. Over time, cyber threats have begun to directly affect even the smallest of businesses. To make things worse, the impact of a successful cyber attack on a small business can be devastating. According to the Better Business Bureau’s report on cybersecurity in small businesses, the average cost of a cyber attack on a small business is $80,000. That is a small amount of money for a large corporation like Target or Yahoo!, but it is huge for a small business.

Studies have shown that more than 60% of small businesses that are victims of a cyber attack go out of business within six months. That is a shocking number; it brings home the impact of security risks to business leaders as well as to employees. None of us wants to see our companies go out of business.

What can you do to protect your business from cyber attack?

There are a variety of steps you can take to help improve your security, including training and skill development for your people, changes to key processes that can reduce risk, and implementing technology that will help prevent certain types of attack. But where should you start?

The first step is to take cyber seriously. Make sure that your business leaders and your board of directors understand your risks and are taking practical steps to address them. Awareness also extends to employees, in part because many attacks are targeted against members of your staff. Make sure everyone on your team understands their role in protecting the company and their jobs.

Another important step is to plan for how you will recover from a cyber attack. Many of the small businesses that fail after a cyber attack do so because of secondary costs. PlanAlthough the direct costs of an attack can be painful, your biggest risk is most likely that it will take too long and cost too much money to recover your systems and data so you can return to business at all. The longer it takes you to resume supporting your members, delivering your services, or selling your products, the greater the likelihood that your company will fail.

How difficult is this?

Spoiler alert! They don’t have to be difficult or costly. Find a partner that can help you. Ask them to work with your board and other leaders to ensure a common understanding of your cyber risks. Provide training and attack simulations to your team. Develop and test a plan for recovering if some of your key data is lost or stolen.

All of this can be done in a matter of weeks, not months or years. When you are finished with these steps, you will have taken an important step forward and can prioritize any additional steps you need to take to further reduce your security risks.