Data protection is a hugely important issue in everyday business. This blog post will explain why you should make data protection a top priority – especially when it comes to the electronic exchange of sensitive information.
If confidential data falls into the wrong hands, the consequences can be fatal for the company concerned. So it is essential that you protect yourself thoroughly to prevent the loss or theft of valuable information during any kind of electronic data interchange.
Three questions are especially important in this context: what should you bear in mind when protecting your data? Why is data security such a high priority? When should you consider bringing in external specialists?
Without data security there is no data protection
How do we guarantee privacy? By achieving data security with appropriate infrastructure and raising the awareness of the people involved. Quite simply, data security is achieved by making data theft very difficult. This encompasses all measures that facilitate illegal access to external data.
Securing your house or apartment
In practical terms, we can learn from the example of home security: houses and apartments have technical safeguards, like solid windows and doors, equipped with locks. If you are looking for even greater protection, you might opt for special window glazing, with armoured bars or an alarm system for additional security. But the physical technology is just one element. Even the best armoured glass will not help if the window is left open by mistake, or if the key to the security door is under the doormat.
Security for your computer and stored data
Similar principles apply to computer or smartphone security. Here again, you use keys in the form of passwords to prevent unauthorized access to your personal data. Antivirus software provides additional protection against external intruders. Biometrics, code cards or combinations of security measures can also be used to make unauthorized access more difficult. But once again, even the best technology in the world is worth nothing if an employee keeps his password on a post-it stuck under his keyboard.
Security is paramount – avoiding shitstorms
If you are serious about protecting yourself and your customers against unauthorized access to sensitive data by third parties, then you should treat data security with the utmost respect. Security is paramount, but it can only work if your company’s management takes appropriate action. Only by meaningfully integrating data protection into the corporate strategy and implementing appropriate security measures, can a company ensure that all parties follow the necessary security procedures.
Failing to do so – for example, violating customer privacy through careless actions – can have fatal consequences. Gaining a bad reputation as a company that takes the security of its customers’ data lightly is serious, and in the worst case can lead to financial ruin.
Depending on the explosiveness of the security violation, customer indignation can rapidly spiral out of control: the viral spread of information over the Internet quickly acts as a multiplier, and we all know of recent cases in which so-called shitstorms shook the corporate communications departments of established companies to their foundations. As the ebb and flow of information continues, controversial issues may quickly be brushed under the carpet, but a bitter aftertaste is often left when customer trust has been abused by wrongdoing. When it comes to data security, it is also about trust and reliability: basic values that you do not want to violate as a company.
These recommendations are especially relevant if your business exchanges sensitive electronic data with external partners. Data protection must be a top priority and to avoid security incidents from the outset, data security must be treated as a cornerstone of the corporate strategy. Concretely, this means that all questions concerning the implementation of security measures must be clarified at decision-making level – for example, whether electronic data interchange (EDI) is performed in-house or by an external contractor.
Security from your own data centre or via a service provider?
If you use your own IT infrastructure with an on-site data centre, you should ensure, together with the appropriate specialists, that it operates in conjunction with the data protection requirements. It is important to take all security measures necessary to continuously monitor your systems and make sure everything performs to the latest standards – whether you entrust the job to your own staff or hire an external service provider to do the task.
If you do not have your own IT infrastructure and rely on the data centre of a service provider, you must ensure that you are cooperating with a reliable partner who meets all the relevant safety criteria. It is crucial for this service to be available around the clock. This is the only way to ensure optimal data protection, because when problems arise, an immediate and competent response can make all the difference. Data thieves do not take the weekend off – on the contrary. And how many SMEs will pay their IT staff to work around the clock?
Carefully select partners to handle electronic data interchange
If your company carries out electronic data interchange relating to sensitive operations (such as purchase orders, delivery notifications, invoices or technical data) with business partners, either now or in the future, then data protection takes on an even greater significance and the question arises as to whether this activity can be secured adequately and affordably in-house.
When exchanging sensitive electronic data, you should always pay attention to the confidentiality (e.g.: encrypted transmission, no unauthorized access to file contents), availability (was all the relevant EDI data, such as vital orders, also transmitted?), and integrity of the data (e.g.: completeness and correctness of the EDI data).
This requires both comprehensive technical, and organizational measures. Security concepts like high availability, disaster recovery, backup and restore, replication between data centres and uniform virus protection must be implemented. Firewall clusters, virtualization infrastructure, network intrusion detection/prevention and antivirus solutions should all be adjusted through regular risk assessments of the constantly changing threat landscape.
Furthermore, sensitive information, such as personal data, must, by law, be given a special level of protection. Such data may only be exchanged using systems and protocols (e.g.: special portal applications) that meet the strictest safety requirements. What’s more, it is a basic requirement for all service providers to have the effectiveness of these measures checked and externally verified against international standards (e.g.: ISO 27001), as well as to perform periodic reviews of security measures, for example with penetration tests.
If you should find that the necessary and specialized resources are not available internally, then the selection of a suitable and reliable partner is a prerequisite for safely and successfully carrying out electronic data interchange. As a matter of principle, this decision should be discussed with the aid of internal IT experts at the highest level of management, because you should not forget: if it is about data protection then it is also about your company’s reputation.
Crisis management – what do you do if things get difficult?
If your security measures let you down, it is important to manage the crisis in a professional way, to ensure that data security is restored and any damage is repaired as quickly as possible.
Professionals know they need to have a contingency plan in their top drawer, ready to be executed at any time. This means that the issue of crisis management should not be raised for the first time after the crisis situation has arisen. Quite the contrary: begin as early as possible with good and effective crisis management, and identify potential emergency situations ahead of time. Establish solutions in advance to minimize damage in case of emergency. Ideally you should run through a number of worst-case scenarios so that your staff are used to reacting quickly and professionally in the event of an emergency.
You should adopt the fire fighter’s approach to training and planning: with constant emergency preparation, you will know exactly how to react when disaster strikes.
Prepare crisis communication, avoid shitstorms
The corporate communications department should also have a contingency plan. Few things could throw more fuel on the fire of bad publicity than a rash reaction to a security-related incident. Prepare your communications team to run a considered and meaningful external communications operation in case of emergency by developing strategies and preparing action plans for such cases in advance. Ideally, they should work closely with the staff involved, to ensure they have access to all the information they need. In this way you can dodge approaching shitstorms and even get the internet’s permeability to work in your favour. It should go without saying that this can hardly succeed with an ill-conceived, ad hoc response thrown together in a time of crisis.
If you do everything right, your precautions should be so effective that you avoid crises altogether.
Crisis prevention through outsourcing when internal skills are scarce
Outsourcing services to specialists can be an effective way to prevent crises. For SMEs, building their own permanently watertight, secure IT infrastructure is an enormous expense. Ever faster developments on the “dark side” of digitalization, coupled with the ever increasing demands of customers for service quality, push in-house IT teams right to the limits of their abilities.
This is particularly true for the protection of EDI. The in-house IT departments of mid-sized companies quickly find themselves overwhelmed by these operations.