Many small businesses handle confidential information ranging from trade secrets and client data to signed contracts and personnel documents. As a manager or owner, it’s your responsibility to protect and secure this data.
Start your file security program by separating digital and hard copies into two categories: protected information, such as legal documentation and employee files, and information that’s available to all workers, such as proprietary blueprints or trade secrets. Store the protected files separately and restrict access to prevent your employees from seeing confidential data.
Even if your company is going digital, physical file management is still an important concern. The Canada Revenue Agency requires you to keep business records for at least six years from the end of the taxation year, for example, and you must also manage employment applications, paper contracts, and legal forms. To keep documents safe, invest in sturdy file cabinets with secure locks. Audit your filing system on a regular basis to ensure nothing is missing, and destroy extra paper copies using a cross-cut shredder.
Digital security is a serious concern for small businesses. To protect your digital files, take these precautions:
- Store your confidential files on a secure, in-house server
- Restrict file access to necessary employees
- Use strict password protocols and require your employees to change passwords every three months
- Prevent employees from downloading files to USB drives and public cloud accounts
- Use an encrypted virtual private network to transfer and access files when workers are out of the office
- Ask employees to avoid emailing files
- When emailing is necessary, use only encrypted office email accounts
- Do not use public Wi-Fi networks to access confidential information
Computers and Mobile Devices
If your employees use home computers, laptops, smartphones, and tablets to access digital files, your confidential data might be at risk. It’s not uncommon for an employee to download a client file to a personal phone to review, but if the device is lost or hacked, it exposes sensitive information. The same goes for company email accounts.
For many companies, it’s unreasonable to restrict file, email, and text access to the office. One solution is to provide phones, tablets, or laptops to each employee for work use; that way, your IT staff can add security software, malware protection, and secure password protocols. If that doesn’t fit your budget, use secure systems to control remote data access: use a secure authentication system for the network, allow files to be viewed but not downloaded, and require workers to check email using a secure app.
When it comes to protecting employee data, your human resources department is the first line of defense. HR workers manage a huge amount of personal information, including social insurance numbers, performance reviews, financial records, and tax forms, so it’s important to take extra precautions.
Employee data protection starts with your database, so it’s a good idea to restrict access to your HR staff with individual logins. Avoid sending personal information by email, and when you must, check each message carefully to ensure that it’s going only to the person in question. Be sure to train your staff and management in these practices to ensure that they don’t accidentally share performance reviews or personal data by email. When scheduling disciplinary meetings online, don’t include the reason or the employee’s name in the title — if the meeting is automatically added to your calendar, that private information is visible to everyone else who has access.