Most data protection strategies focus on keeping outsiders from breaking in and gaining access to sensitive materials. IT departments are tasked with setting up firewalls, filters for gateways, systems that can quickly detect intruders, and so on.
But there is another threat that is given far less attention: internal access to data.
By and large, most employees have no desire to purposely delete or damage data. The problem, however, isn’t intent so much as it is access – and that’s true in two different ways.
Firstly, when you sell products online, your employees may have access to your seller accounts on channels such as Amazon, Google AdWords, and so on. These accounts contain important competitive data for your business, including financial information related to spend and more.
Secondly, many of today’s workers access company data from multiple locations and use a variety of devices to do so. Securing these devices and locations is at best difficult and, in many cases, borderline impossible.
So what can you do to protect your store data?
Remove permissions quickly.
Those firewalls and filters are there for a reason. Employees don’t instantly gain access to company information the second they are hired – you grant them that permission by having an account set up that lets them see the data. This could mean simply giving them a company password, or it might mean creating a profile that determines their level of access.
Whatever your situation is, you need to act quickly to remove their access once they are no longer working for you. How do you do this? By deactivating passwords to computer systems, email, remote access accounts, and other programs. This prevents someone from gaining access to sensitive information once they should no longer have that access by essentially putting them in the same position as everyone else who doesn’t work for you.
It can be easy to overlook specific accounts or programs, because most businesses work with dozens of them. Work with IT to build a master list and then to maintain that list. That way, when someone leaves, your team can simply check off each one as they remove permissions.
Limit access to information.
Removing permissions is great, but it doesn’t get rid of information that they already have on their devices. This is a difficult problem to address. But what you can do is ensure their access is limited in the first place. We briefly touched on this above when we mentioned creating a profile to determine their level of access. Basically, doing this allows you to decide what company data they can see – and what they can’t – based on their role or job title.
GoDataFeed’s user roles, for example, allow you customize access so you can decide what individual employees are able to view, edit, add and delete data. What types of permissions can you grant? There are a variety of different permission levels, including agency-friendly access features:
- Imports. Control data being imported to a particular store.
- Feeds. Monitor and control data being sent to shopping channels through feeds.
- Reports. View, edit, add, or delete reports as well as email-only reports for clients.
- Activity Logs. Access to account activity.
- Modules. Add or delete modules, such as bundles, feeds and utility modules, for a store.
Implementing user roles and limiting access to sensitive data is far better for companies than giving someone access to a main password. If you do that, you’ll have to change the password every time anyone leaves. And everyone will have to learn that new password. With user roles, you can just remove the user. It’s not only more efficient, but safer.
Make use of the cloud.
In today’s work culture, keeping employees tethered to their workplace simply doesn’t make sense. With laptops, tablets, and mobile devices, employees can take what they need off-site, providing them with greater flexibility and productivity.
But that doesn’t mean employees should download all the company data onto their devices and go. Instead, keep sensitive information on the cloud using a secure provider. Then when someone leaves, you can quickly remove their permission to access the cloud when they leave.
Remote wipe mobile data.
Even if you embrace the cloud, you probably won’t be able to keep everything on the cloud. And some data will need to be directly downloaded onto devices in order to get work accomplished.
Make sure you use a software solution that allows for a remote wipe of corporate data from workers’ phones and other mobile devices without deleting their personal data. You should also remember to collect and check all devices, not just those that you provided. Consider USBs, backup drives, tablets, cameras, nav systems and more.
Hire a data forensics team.
If you suspect that data theft or file deletion has occurred, however, hire data forensics experts immediately. They may not be able to prevent your data from getting into the wrong hands, but they can uncover and record evidence of illegal activities.