The opinions of contributing entrepreneurs are their own. </p><div>
Key Takeaways
- Data security is no longer about closed doors and trusted employees with key sets.
- In a world where everything is stored in the cloud, offshore labor and AI-powered tools, a single weak link can expose your most sensitive information.
- Keeping data local, restricting access on a strict need-to-know basis and holding suppliers to higher standards is now mandatory for every business.
Not long ago, protecting your company’s data meant locking your desk drawer and reminding the lobby security guard to check the doors during his evening rounds. Today, however, our concerns extend beyond just the security guard or an enterprising thief.
In addition to foreign hackers, internal leaks from disgruntled employees exposing sensitive data and accidental exposure can all lead to opportunities for blackmail and extortion. Remember the board meeting where the marketing team shared your latest product research? It seemed like a good idea to order a written transcript for executives in the West Coast office. Are you confident that the transcription company you hired can ensure that the audio file or completed transcription has not fallen into the wrong hands?
The burden of securing valuable data weighs heavily on every business owner. Fortunately, there are simple steps you and your employees can take to minimize the risk of data theft.
Keep sensitive data local
If you own or operate a US-based business, keeping sensitive data within US borders is a wise decision. When data is transferred to another country, there is a significant risk that the legal protections provided by U.S. law may be lost.
The location of your business data determines who can legally access it or issue a subpoena. Where a company’s data centers are physically located is usually not an arbitrary decision. Most companies strategically choose such locations based on factors such as regulatory requirements, proximity to users, data volume and the provider’s global infrastructure.
If your business handles sensitive information, such as legal, health, or personal information, storing and processing only in the U.S. reduces exposure to overseas exploitation ā including blackmail and coercion risks that can extend to employees, courts and law enforcement agencies ā while improving your legal remedies and compliance position.
In my industry, some companies claim to be based in the US just because they rent office space or employ a handful of “managers.” However, many of these companies are actually owned by foreign entities and often rely on cheap foreign labor. Even if a company is based in the US, what matters is where they store your data.
Problems can arise when audio or video files contain sensitive legal or medical information. The laws of the US and other countries determine how companies must protect this type of data. The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information processed by U.S. entities. The law also requires that such data be protected when transferred abroad. The European Union’s General Data Protection Regulation (GDPR) also restricts the transfer of personal data outside the European Economic Area (EEA) to ensure that sensitive data remains protected.
Complications can arise when U.S. laws conflict with those of other countries. These disputes have led to significant legal battles and lengthy international diplomatic negotiations.
The best and safest way to ensure sensitive data remains protected is to keep it within US borders. Let’s look at several ways to protect your company’s sensitive data.
Who has access to your company data?
Protecting corporate data means understanding both its location and who has access to it. Evaluating internal access is critical, but it’s just as important to understand your vendors’ data security protocols.
Start with a data audit checklist for both your organization and your suppliers. Do you know exactly where the data is stored, who has access to it and at what levels?
Many of us are familiar with US government security clearances from watching dramas and crime thrillers. The lowest level of security clearance is ‘Confidential’. Individuals granted this permission will undergo a basic background check.
The next level is ‘Secret’. Individuals with this security clearance undergo a more stringent background check because disclosure at this level can cause significant harm.
The highest level is ‘Top Secret’, which is awarded to a select group of individuals who undergo an extensive background investigation that can take months or even years. Revealing top secret information could lead to long-term damage to military, business or intelligence operations.
While the CIA-style information may be intriguing, there are two important considerations that companies should keep in mind when designing their data security plans.
- The three security clearances described above are intended to separate access to specific information.
Each level is formulated on a need-to-know basis.
Your primary focus should be on determining which employees within your organization need access to certain information or data. For example, does the Vice President of Sales at a pharmaceutical company need access to the latest clinical research results for a new drug? Probably not. On the other hand, a junior lab technician who enters data or assists with experiments likely needs that access. Conversely, the laboratory technician does not need access to expected sales figures after drug approval.
Take a good look at who exactly needs access to what data and for what reasons. Allocate access accordingly and restrictively. If an individual or team no longer needs access to certain data, it is important to limit or remove that access.
Supplier security
Hold your suppliers and external consultants to the same standards that you maintain internally. A good starting point is to implement a non-disclosure agreement (NDA). Have your attorney or legal department prepare non-disclosure agreements for outside parties who need access to internal information.
It is important to ask the right questions before engaging a supplier. Just as owners and executives invest time in preparing key interview questions for key personnel positions, preparing questions for potential vendors can help you avoid data security pitfalls. Here are a few examples:
- Can you contractually guarantee that all data storage and processing will be on US servers, even when using AI?
Where are your sub-processors and support locations located?
Is there remote access to these locations from outside the US?
Do you ever export log files, backups, crash dumps or model telemetry to locations abroad?
Are there individuals outside the US who review transferred data (even fragments) for quality assurance or labeling purposes?
Can we use a US-based region without retention and without train AI?
Do you have a breach playbook and US-based incident response?
Will you sign our Data Processing Agreement (DPA) with only US clauses and damages?
Admittedly, some of the above questions may be exaggerated. Depending on your data security needs, they provide a solid foundation for identifying vendor weaknesses. Additionally, be aware of offshore vendors, lax compliance standards, and outdated security protocols.
Pros and cons of AI data protection tools
AI has had a significant impact on data security in several ways. On the positive side, AI improves data security through advanced threat detection, reducing incident response times. However, there are also challenges, such as AI-generated malware attacks and the risk of sensitive data leakage from shadow AI tools.
Let’s focus on the benefits of AI in threat detection. In addition to the previously mentioned benefits, AI tools can analyze patterns of both past and current attacks, providing a better understanding of how to prevent future attempts to breach data systems.
Another valuable application of AI is machine learning (ML), which can identify vulnerabilities in code that might go unnoticed during manual inspections. Developing proactive tactics is often more effective than relying solely on defensive strategies.
AI data security is a complex and complicated topic. Whether it’s someone from your IT team or an external consultant, developing a comprehensive data security plan should be at the top of your to-do list today.