As an organization, you are responsible for safeguarding sensitive information in your possession from threat actors. Here’s how you can do it.
Data Protection for Civil Society: How to Protect Sensitive Information
(Alt Text: Photo Of An Alarm System Keypad)
It is impossible to run a civil society organization without dealing with the collection, storage, processing, and transfer of confidential data (also known as sensitive data). From clients’ addresses and names to the standard operating procedures your organization relies on for its operations, data is the lifeblood of any modern organization.
But with the good comes the bad.
When sensitive information in your organization’s care is not properly safeguarded, the consequences can be severe, including loss of business, financial penalties, reputational harm, lawsuits, and other consequences. Here’s what you need to know to avoid the scenario described above and protect sensitive information in your organization’s care.
We’ll start with some fundamental information about confidential data and the laws that govern its protection. We’ll then go over what to do if sensitive information is compromised. Finally, we’ll offer advice on how to better protect sensitive information in your organization.
What is Sensitive Information?
Sensitive information is defined as data in an organization’s possession that must be secured and kept private at all times. Why? Because unauthorized access to it, regardless of format (digital or physical), can have a negative impact on an individual, organization, or individual.
It is important to note, however, that the level of security required to protect confidential data varies depending on the type of sensitive information in question. Still, it must be protected from threat actors in any case.
Examples of sensitive information include:
- Personally Identifiable Information (PII): this includes an employee’s date of birth, national identification number(NIN), home address, medical information, etc.
- Proprietary information: such as intellectual property, marketing plans, donors list
- Information protected by the attorney-client privilege or other such protections.
The list goes on…
The Laws Governing Compliance
(Alt Text: Close Up Photo Of A Wooden Gavel)
The protection of confidential data is governed by a set of global and national regulations and laws.
On a global scale, the General Data Protection Regulation (GDPR) establishes security and privacy requirements for organizations’ collection and use of personal data, as well as harsh penalties for violations of those requirements.
Note: although the GDPR was enacted by the European Union (EU), it applies to any organization that collects or targets the personal data of EU residents, regardless of its location.
In South Africa, the law governing data collection is the Protection of Personal Information Act
In Nigeria, the principal data protection regulation is the Nigerian Data Protection Regulation 2019 (NDPR)
And so on.
It is best to become acquainted with the laws, regulations, and laws—both industry-specific and general—that govern the jurisdictions in which your organization operates. When in doubt, it is better to err on the side of caution and overprotect information or to seek legal advice.
5 Ways to Secure Sensitive Data
Don’t worry; one does not need to be a security expert to follow the tips listed below.
Let’s get started.
-
Organize
The best way to ensure the sensitive information in your organization’s care is protected is to know how much data needs protecting in the first place.
Inventory all laptops, computers, flash drives, mobile devices, digital copiers, disks, and other equipment to determine where and how sensitive data is stored in your organization.
The goal is to obtain a complete picture of:
- How your organization receives confidential data
- Who sends your organization sensitive personal information?
- Who has or could have access to sensitive information?
- Where the information is stored.
Depending on the size of your organization, manually sorting through data may take very little or very much time. So, it would be best if considered using legal technology like ZyLAB ONE to identify, sanitize, and categorize your organization’s sensitive data.
Pro Tip: if you don’t have a legitimate reason to keep any sensitive information in your possession, don’t keep it. And keep the ones you do need only as long as they are required. That said, remember to create backup copies of the information you keep.
2. Encrypt
(Alt Text: “Open Source” Script On A Typewriter)
If you want to keep something safe, you must lock it. This means encrypting your files if you keep sensitive information digitally. It makes no difference whether this information is stored in the cloud or on a hard drive; encrypting your organization’s files ensures that they cannot be accessed by just anyone.
You can do this on your own with tools like Veracrypt and Cryptomator; just make sure to use a strong, difficult-to-guess decryption password. If you’re worried about forgetting this complex password, we recommend storing your decryption keys securely with a password manager like LastPass.
Also, as a best practice, consider using communication tools with end-to-end encryption to share sensitive information with third parties over public networks or via email.
Pro Tip: Keep important organizational data on work devices only. Your work devices will most likely have better security measures than your personal ones.
3. Authenticate
First off, unless it is absolutely necessary for your organization’s operations, do not store sensitive data on any computer with an internet connection. Even so, password protect everything and make controlling access to confidential data an organization-wide policy.
Then adhere to the following password security best practices:
- Use a password-activated screensaver to lock devices after a period of inactivity
- Require password changes when appropriate, for example, following an employee’s exit from the organization.
- Lock out users who enter incorrect passwords within a designated number of log-on attempts.
- Use multi-factor authentication as an extra layer of protection
Bonus Tip: When otherwise disclosable files contain sensitive information, use automated redaction technology to locate and conceal that sensitive information. This reduces the possibility of unauthorized disclosure of confidential data.
4. Firewall
(Alt Text: Blue Wall And Orange Door)
A firewall is a piece of hardware or software that acts as a filter (stopping harmful and malicious traffic) between your network and the internet, thereby preventing threat actors from gaining access to a computer on the network that contains sensitive information.
If your organization doesn’t already have one, we recommend prioritizing setting up one as soon as possible. Additionally, keep up-to-date anti-malware and antivirus software on your network’s servers and individual devices to protect against malicious software.
It is important to note, however, that a firewall’s protection is only as good as its access controls.
As a result, carefully configure “access controls,” which govern what traffic and devices can pass through the firewall so that only trusted devices with legitimate authorization can access the network. Then, check them on a regular basis to ensure they’re still letting in the right traffic.
Pro Tip: If some of your network’s devices or servers store sensitive information while others do not, consider using additional firewalls for those that do.
5. Train
Your sensitive information protection plan may look good on paper, but it is only as strong as how employees implement it. In other words, the best defense against data breaches is a well-trained workforce.
As a result, invest in training staff to recognize security threats and safeguard confidential data.
Make it clear to them that adhering to your organization’s confidential and security protocols is an essential part of their job; include it in their sign-on contracts if possible.
Finally, training should be continuous in order to meet the needs of your expanding organization.
Final Thoughts
Managing passwords, organizing folders, memorizing the master password, and adhering to best security practices can be overwhelming. But it’s all worthwhile!
Especially since it entails maintaining the trust of your stakeholders, partners, and the general public, which is critical to the continued success of your organization.
Remember, your organization’s data is valuable; take good care of it.
Enjoyed reading this article? How about sharing it with the world?