While users are advised to observe password and cybersecurity best practices online, organizations shoulder grave responsibilities and regulatory obligations to keep data secure. Here is a short checklist for IT teams to abide by…

1. Take a top-down approach to protecting data. Start with a policy and standards that classifies all types of data your team would expect to create, collect, store, or generate.
2. Once these data classification standards are in place, catalog where all sensitive or privacy data is collected, handled, or stored into an inventory. You cannot protect something if you do not know where or what it is.
3. Third-party partners add an additional layer of complexity because firms often have to grant access to data that should be protected by third-party partners that have different levels of security around data access and protection, security policies, and exposure. When providing access to a third-party, their attack surface becomes your attack surface.
4. Protecting client data is extremely important because this type of sensitive information getting leaked often leads to reputation risk for the organization, whether its sensitive Personal Identifiable Information (PII) or credit card transactional data protection required by the Payment Card Industry Data Security Standard (PCI DSS) standard.
5. Organizations have a responsibility to protect this data, as very often the lack of action can not only lead to legislative fines but also class action lawsuits due to the data breach.
6. After the privacy data inventory is built and maintained, controls around protecting data while it is at rest, in transmission, and its secure disposal, can be applied throughout the environment. These controls can include encryption to protect its confidentiality while being stored or transmitted, identity access management controls to prevent unauthorized parties from accessing it, and segmentation controls to limit the reach if an attacker does gain access to a portion of the internal infrastructure.