Rock LaManna11.14.16
How careful are your employees with company data? If you’re like most label printing companies, you believe that your employees already know how to protect sensitive information. You may have discussed the topic with department managers and IT experts, but it’s likely you haven’t enacted a company-wide method of communicating the importance of proper data handling to every employee.
A written plan, signed by every employee in your company, is the first step to plugging the data leaks within the organization. The plan should outline industry best practices and specific procedures for how that will happen. There are too many changes in data handling to allow these procedures to become outdated, so your written plan should be updated every three years.
Cloud considerations and mobile devices
In the past three years, the label industry has increased the number of tools and software that operate in the cloud. For example, if you use a cloud-based sales management tool like Salesforce.com, you are passing incredible amounts of data through the hands of your employees.
Increasingly, employees are using – or want to use – their personal devices to access company information. Your company plan should lay out specifically how employees can or cannot use their personal devices.
Salespeople, in particular, want to use their phones or tablets to access data about customers and prospects. The reality is, even if you tell them no, they will do it anyway, or they will end up going around you and creating their own databases, which is a bad idea.
I recommend you work with a security expert and your IT department to detail the best way for employees to use and protect their personal devices. There are many ways to disable a phone if it is lost or falls into the hands of a competitor. Also, have managers set up tiers of access to information. Determine how much access salespeople need in the field without having your entire customer database open to them. If they need access to prices on previous jobs, credit information and other details handled by the accounting department, have a multi-step process for entering these secure areas.
Home-based workers
In some companies, home-based workers are allowed to log in to a secure server to access company information. At every level within the home operating environment, security must be addressed:
Finally, and most important, are home-based workers required to have strong and secure passwords?
Strong passwords
Even though we have understood for over a decade about the importance of secure passwords, companies are still not being vigilant about enforcing this. Passwords need to be strong, and they need to be secure for all employees accessing company data.
A strong password should include a capital letter, a symbol, such as a question mark or slash, a number, and at least eight characters. The password should not be immediately relatable to the person such as birthdays, children’s names or hobbies. A secure password should not be stored on a Post-It note, in the mobile phone, in an email, or even in an unsecured booklet of passwords kept at the company.
Furthermore, the employee should never choose the option to “remember passwords” on the device. If possible, IT managers should disable this option.
When I talk to IT managers about the problem with soft passwords, they tell me employees often cannot remember their own passwords. Managers say they spend too much time helping to reset or retrieve this information when they should be working on bigger IT initiatives. As a result, the bar is low for password best practices.
IT managers also tell me that they do not require employees to change passwords regularly. The fact is, the higher the sensitivity of the data, the more frequently passwords should be changed. It’s common in my visits to printing plants to hear that passwords are changed every few years instead of every few months. We need to learn from the data breaches we read about in the news.
Plugging the holes
Employees often develop good data-handling practices because of information and pressure from outside the company. They may belong to groups that communicate frequently about laws and practices. They may get information from colleagues, trade organizations, vendors and trainers. I often find textbook-perfect practices in the human resources department or among the technology people in the production department.
However, I just as often see data security issues in the accounting departments of the companies I visit. Accounting professionals process vast amounts of data, and they often cross back and forth between secure and unsecure data. Between straight data input and more secure data, such as credit checks and credit card handling, there may be shortcuts, such as cutting and pasting, which leave information unsecured.
In addition, accounting departments often generate piles and piles of paper that may get filed or shredded. Of the many bookkeepers I know, they are more likely to file sensitive information, such as a customer’s credit card number, than to shred it. Credit card handling should be addressed in your written plan. File cabinets should have locks. File drawers should be kept closed when not in use, and keys should not be hanging out of the lock during the day.
I recommend you hire an auditor once a year to monitor paper trails, observe methods, track an invoice from generation to payment, and communicate new laws and best practices.
Preparing the written data security plan
I find it helpful if the team that is preparing the written plan also does the research about the potential impacts if there is a data breach. Every aspect of a breach should be researched, from the financial impact to the loss of customers.
Find personal stories in the business press or from your trade association about companies just like yours where there was a data breach. These stories are easier for employees to relate to than examples of mega companies like Chase, Yahoo and Wells Fargo. Nothing spreads faster through the company grapevine than relatable horror stories, even used as a negative example.
The team preparing the report should ask employees to identify the places in the company where data is not protected sufficiently. There are two types of employees who can probably give you good feedback: (1) employees who like to work quickly and are impatient with roadblocks, and (2) employees who have bad work habits in general. Both types of employees have probably developed workarounds and shortcuts that bypass your security efforts.
Your written plan should answer these questions:
Developing a written plan for handling and securing company data is one that can be started by the team that wrote your company handbook. It’s especially helpful if this team includes representatives from all the departments and various strata in the company organizational chart. It’s vital to include employees who actually are working with data. Your trade or business organization may have other suggestions on how to put together a written plan.
As the owner, you cannot do this on your own. As your team develops the written plan, do all you can to have employees on board and vested in positive outcomes.
An authoritarian mandate from above will not be as successful as an all-for-one approach. Revisit your plan regularly and survey employees to find out where new loopholes are developing.
Data handling in the future
Like many other sectors of the printing industry, label printers are seeing an increasing number of jobs that require the customer’s secure information. Over the next five years, label printing will continue to expand into variable output and complex customization.
Increasingly, customers will demand that their data be handled properly and require their own written agreements. To be ready, we need to close the breaches, start practicing safe data practices and prove that we can handle jobs that require high levels of secure customer data. Letting customers know you have a written data security plan is a logical step to earning their trust.
Rock LaManna, President and CEO of LaManna Alliance, helps printing owners and CEOs use their company financials to prioritize and choose the proper strategic path. Rock can be reached by email at rock@rocklamanna.com.
A written plan, signed by every employee in your company, is the first step to plugging the data leaks within the organization. The plan should outline industry best practices and specific procedures for how that will happen. There are too many changes in data handling to allow these procedures to become outdated, so your written plan should be updated every three years.
Cloud considerations and mobile devices
In the past three years, the label industry has increased the number of tools and software that operate in the cloud. For example, if you use a cloud-based sales management tool like Salesforce.com, you are passing incredible amounts of data through the hands of your employees.
Increasingly, employees are using – or want to use – their personal devices to access company information. Your company plan should lay out specifically how employees can or cannot use their personal devices.
Salespeople, in particular, want to use their phones or tablets to access data about customers and prospects. The reality is, even if you tell them no, they will do it anyway, or they will end up going around you and creating their own databases, which is a bad idea.
I recommend you work with a security expert and your IT department to detail the best way for employees to use and protect their personal devices. There are many ways to disable a phone if it is lost or falls into the hands of a competitor. Also, have managers set up tiers of access to information. Determine how much access salespeople need in the field without having your entire customer database open to them. If they need access to prices on previous jobs, credit information and other details handled by the accounting department, have a multi-step process for entering these secure areas.
Home-based workers
In some companies, home-based workers are allowed to log in to a secure server to access company information. At every level within the home operating environment, security must be addressed:
- Are employees using wireless or hard-wired devices?
- Are they accessing the Internet and search engines from that computer, where they could pick up a virus?
- Are they computing in a place where others can view their work sessions?
- Are they printing to secure devices?
- Are printers set up so that jobs cannot be output until the user is at the printer and types in a code?
- Are users allowed to download information to the home computer?
- Are users responsible for disposing of information or clearing caches once it is printed or accessed?
Finally, and most important, are home-based workers required to have strong and secure passwords?
Strong passwords
Even though we have understood for over a decade about the importance of secure passwords, companies are still not being vigilant about enforcing this. Passwords need to be strong, and they need to be secure for all employees accessing company data.
A strong password should include a capital letter, a symbol, such as a question mark or slash, a number, and at least eight characters. The password should not be immediately relatable to the person such as birthdays, children’s names or hobbies. A secure password should not be stored on a Post-It note, in the mobile phone, in an email, or even in an unsecured booklet of passwords kept at the company.
Furthermore, the employee should never choose the option to “remember passwords” on the device. If possible, IT managers should disable this option.
When I talk to IT managers about the problem with soft passwords, they tell me employees often cannot remember their own passwords. Managers say they spend too much time helping to reset or retrieve this information when they should be working on bigger IT initiatives. As a result, the bar is low for password best practices.
IT managers also tell me that they do not require employees to change passwords regularly. The fact is, the higher the sensitivity of the data, the more frequently passwords should be changed. It’s common in my visits to printing plants to hear that passwords are changed every few years instead of every few months. We need to learn from the data breaches we read about in the news.
Plugging the holes
Employees often develop good data-handling practices because of information and pressure from outside the company. They may belong to groups that communicate frequently about laws and practices. They may get information from colleagues, trade organizations, vendors and trainers. I often find textbook-perfect practices in the human resources department or among the technology people in the production department.
However, I just as often see data security issues in the accounting departments of the companies I visit. Accounting professionals process vast amounts of data, and they often cross back and forth between secure and unsecure data. Between straight data input and more secure data, such as credit checks and credit card handling, there may be shortcuts, such as cutting and pasting, which leave information unsecured.
In addition, accounting departments often generate piles and piles of paper that may get filed or shredded. Of the many bookkeepers I know, they are more likely to file sensitive information, such as a customer’s credit card number, than to shred it. Credit card handling should be addressed in your written plan. File cabinets should have locks. File drawers should be kept closed when not in use, and keys should not be hanging out of the lock during the day.
I recommend you hire an auditor once a year to monitor paper trails, observe methods, track an invoice from generation to payment, and communicate new laws and best practices.
Preparing the written data security plan
I find it helpful if the team that is preparing the written plan also does the research about the potential impacts if there is a data breach. Every aspect of a breach should be researched, from the financial impact to the loss of customers.
Find personal stories in the business press or from your trade association about companies just like yours where there was a data breach. These stories are easier for employees to relate to than examples of mega companies like Chase, Yahoo and Wells Fargo. Nothing spreads faster through the company grapevine than relatable horror stories, even used as a negative example.
The team preparing the report should ask employees to identify the places in the company where data is not protected sufficiently. There are two types of employees who can probably give you good feedback: (1) employees who like to work quickly and are impatient with roadblocks, and (2) employees who have bad work habits in general. Both types of employees have probably developed workarounds and shortcuts that bypass your security efforts.
Your written plan should answer these questions:
- What does a “data secure” workplace look like?
- How does it function?
- Who can handle and access data? Who cannot?
- How often should the written plan be reviewed?
- How do you update best practices as they evolve?
- How do you communicate best practices to new employees, and how do they prove their mastery of the topic?
- How do you protect the company from small breaches that cause no immediate harm but show lack of discipline?
- What happens if employees willfully do not follow best practices?
- How do you lock down the system if there is a breach?
- Which employees should be notified and how can they be reached?
- Which customers, vendors and/or strategic partners need to be notified, what should they be told, and who should tell them?
- Who in the company should talk to the press? What should they say or not say?
- How do you recover from an episode?
Developing a written plan for handling and securing company data is one that can be started by the team that wrote your company handbook. It’s especially helpful if this team includes representatives from all the departments and various strata in the company organizational chart. It’s vital to include employees who actually are working with data. Your trade or business organization may have other suggestions on how to put together a written plan.
As the owner, you cannot do this on your own. As your team develops the written plan, do all you can to have employees on board and vested in positive outcomes.
An authoritarian mandate from above will not be as successful as an all-for-one approach. Revisit your plan regularly and survey employees to find out where new loopholes are developing.
Data handling in the future
Like many other sectors of the printing industry, label printers are seeing an increasing number of jobs that require the customer’s secure information. Over the next five years, label printing will continue to expand into variable output and complex customization.
Increasingly, customers will demand that their data be handled properly and require their own written agreements. To be ready, we need to close the breaches, start practicing safe data practices and prove that we can handle jobs that require high levels of secure customer data. Letting customers know you have a written data security plan is a logical step to earning their trust.
Rock LaManna, President and CEO of LaManna Alliance, helps printing owners and CEOs use their company financials to prioritize and choose the proper strategic path. Rock can be reached by email at rock@rocklamanna.com.