Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

February 23, 2023

4 Best Practices for Protecting Private Data

If you’re approaching data security for the first time, or just need to revisit your approach to protecting private data, it can be hard to get started. Dealing with (sometimes very different) data privacy laws, ensuring that your company follows procedure, and tracking down the gaps in your security can all be challenging. Here are a few concrete things you can do to turbocharge your approach to protecting private data and ensure that you’re taking care of your customers, too.

Best Practice #1: Create a Privacy Policy

It may seem a little strange to start with the creation of your privacy policy when protecting private data. However, there are two powerful reasons that you should make this one of your priorities. The first is that your privacy policy is a required legal document in a growing number of countries around the world. Not having one could subject you to heavy fines. Second, creating a privacy policy forces your company to document the different ways you use customer data and think critically about those uses. For example, while compiling the ways in which your company uses data, you might discover that there are processes using data that are no longer necessary. By dropping these, you can free up resources.

It can also help uncover “shadow IT,” or processes put in place by your employees without the official sanction of the company. These processes can expose you to liability, even if you don’t intend for them to be happening. That’s not to say that your privacy policy should be set in stone. Instead, it should be a living document, able to evolve as your business needs change. At the same, you should ensure your employees understand that they cannot change how they handle customer data without the express approval of the company. There should be a documented and clear process for requests for updates to the privacy policy to ensure that your company can remain flexible while still meeting its regulatory requirements.

Best Practice #2: Encrypt Your Data

One of the most important things you can do to protect private data is to encrypt it. Encryption takes useful data and turns it into scrambled, unreadable data (ciphertext). The data can only be turned back into its useful form through the use of a private key. Without that key, it would take as long as 13,689 trillion trillion trillion trillion years to crack the encryption if you had access to all the computing power on Earth. By that point, the data would likely no longer have any use.

The issues that stem from a lack of encryption quickly become apparent in the event of a breach. In 2019, a security researcher discovered a cache of more than 885 million sensitive documents on First American Financial’s website that were unencrypted. Consequently, anyone with the right URLs could access any of those records. Encrypting your data at rest, or when it’s not in use, prevents this kind of leak and helps keep your customers safe.

Best Practice #3: Discover and Classify Sensitive Data

While all data should have some level of security, applying your maximum efforts to every piece of data can be an inefficient approach that damages your company’s productivity. For example, suppose your company handles weather data. If that’s leaked, it’s no big deal. On the other hand, social security numbers should be handled with much more care. Treating both as if they were the same incurs the unnecessary use of computer resources for encryption and decryption, and might also cost your employees time.

The solution is to classify all of your internally generated and incoming data to ensure that it is handled correctly. Of course, this isn’t something you can do by hand, especially if your company handles millions or even billions of data points in a year. Data discovery by Mage uses AI and advanced Natural Language Processing to uncover all your sensitive data. It works on the databases you already have and can work incrementally as new data comes in, ensuring that you always have a complete view of what data you have so that you can secure it correctly. Because it’s driven by AI, it can also identify sensitive data with an unorthodox presentation, such as an email address with a typo or stored within header data, so that nothing slips through the cracks.

Best Practice #4: Control Data Access

Once your data is identified, classified, and encrypted, the next step is to control access to ensure that your data is protected. In the past, a username and password would be enough to keep data safe. However, that’s no longer the case. One of the most common ways data is accessed improperly is through a compromised set of credentials. One way to counter that problem is through the use of two-factor authentication: When your employee enters their correct username and password, a code will be sent to them via phone call, text, email, or a piece of physical hardware like a dongle. They won’t be able to log in unless they also enter the correct code. This means that even if your employee’s credentials are compromised, no one will be able to use them to log into their account.

It’s also important to restrict data access within your organization. Your accountant doesn’t need access to the same files your account manager does, and vice versa. Restricting their access to the files and resources they need to perform their jobs helps keep information safe in the event of a breach and limits the damage a single employee can do in an intentional leak.

Controlling access at this level requires granular tools. Mage’s Dynamic Data Masking offers companies everything they need to manage a workforce ranging in size from very small to enterprise. Flexible rules, including role-, user-, program-, and location-based controls, allow for extremely sensitive fine-tuning of the permissions process and ensures your employees will have what they need to work without having unnecessary access to sensitive information.

How Mage Can Help

Over the years, Mage has helped companies of all sizes enhance their approach to data privacy. Having worked with so many different clients with different needs, we know how to help you create the right approach to security for your specific needs. Schedule a demo today to learn more about what Mage can do for you.