Is your business prepared for a cyber-security attack? How conscious are you about the customer data you collect and keep? Who has access to that data on your simPRO platforms?
As a business operating and using cloud technology, it’s your responsibility to take your data and security measures seriously. Just like your own personal and financial information, the customer and employee data you are trusted to keep in your simPRO platforms and in other applications should have the same level of care and protection.
When we talk about data, we consider all of the information that pertains to the records you keep on your staff, the jobs they do, and the customers you serve. This includes all data that is entering, living in, and leaving simPRO through exports, backups, and integrations with other applications.
There are many reasons to prioritize data security. Legally, business owners have a duty of care to keep the data we hold secure or face potential fines and lawsuits. From a business standpoint, protecting the information you hold about your customers and employees from potential hacks or data leaks will safeguard your business from bad press, loss of trust, angry clients, and significant customer churn. But more humanely, you will save them and yourself from the emotional, mental and physical distress of personal and sensitive information being compromised.
Data Security is a serious business. Having well-prepared policies and procedures in place and ensuring your team adheres to the practices you have set, will put you in the best position to safeguard your data.
Check out these 5 tactics you can put in place to keep your data in simPRO safe and secure.
1) Activate 2-factor authentication in simPRO
Enabling 2-factor authentication (2FA) protocols in your simPRO platform will restrict any unauthorized access. This additional step in security forces users to use another device to verify their access, preventing anyone who is operating remotely with your username and password entry to your platform.
2) Get serious about passwords
Implement a password policy that enforces the use of strong passwords and requests employees to change their password regularly, at least every three months. A strong and effective password should be a mixture of upper and lower case, as well as numbers and special characters. Passwords should never be written down on paper or recorded in an unsecured document or platform. Consider using a secure password application, such as Google Password Manager, LastPass, or 1Password. These platforms help you save, manage and protect your passwords.
Passwords should never be shared. Having a unique user and password in your platform enables greater transparency and allows you to track clear activity by user. Should an employee leave the business you have an easier task to remove their access, without impacting anyone else in the business, who may share that account and password.
3) Continuously monitor users and their roles
Do you know who has access to your data, and what access they have? If you are using simPRO make sure the security permissions you have set are applicable to the types of roles in your business. We recommend you review the security groups you have created and ensure team members have been correctly assigned. Think about the types of information and data your team actually needs to see. Placing limits on what they can access will reduce vulnerability for your business.
Document a procedure to decommission staff as they leave your business that clearly outlines how promptly their access is removed and the actions required to reassign any jobs or tasks to another staff member.
If you have an external accountant or auditor who needs to access simPRO, be sure to enable the correct user setting, which will effectively give them access to the terms you allow. In doing so, they will hold a separate login, with restricted access to your data.
4) Only collect the data you need
Consider all the information you already retain in your simPRO platform–the data you collect about customers, your staff, and even your suppliers–do you really need it all?
Of course, there is information you need to collect relating to current jobs and projects, warranties, and guarantees that may be required to conduct your day-to-day business. However, only collecting the data you need will decrease the external value of your data to any actor who holds malicious intent. This will also increase your customer’s confidence in you. In short, the more data you collect, the more valuable your data might be to hackers.
Creating a policy and procedure to guide your users about data security when they use simPRO or any other application will make everyone aware of their roles and responsibilities.
Maintain a record of all of your data processing activities. It's useful to create a document that interprets all the data you collect about your customers and employees generally, and across all of your operations, including all the technology you use to collect and store the data. Consider all sources of data that your marketing, HR, sales, and third-party collects. If you are operating under GDPR rules, this is a requirement and is called a Record of your Processing Activities (RoPA).
5) Conduct an audit of the data you hold
To help you conduct an audit, pair the Record of Processing Activities (RoPA) with your Data Security policy for review on how you are best safeguarding your data.
Your Policy should include a requirement to regularly conduct an audit of your operational and data management procedures and update them as required to keep them from becoming redundant or outdated. The audit should be conducted (at a minimum) on an annual basis. This is a reminder to perform a clean-up of your database and archive old customer contacts and jobs, to ensure you are only keeping the data you need.
If you are keeping personal information about your employees in simPRO, what is better safeguarded in your payroll system? Ensure that you are using simPRO in a manner as intended. A payroll or HR management system may better support some types of information.
If you have employees who have left your business, put measures in place to remove and archive their information from your system. If they are tied into jobs, you will need to archive any related jobs, prior to doing the same with your customers and employees. The bulk delete function can speed up the process of removing unnecessary data from your simPRO platform.
It's handy to use license expiration dates to help track when information can be reviewed, archived, and deleted. For example, you might hold driver's license credentials, passport, and other personal information of an employee, after a period, that information may no longer be relevant, and expiry will provide a prompt for your admin to remove this information. These expiry ‘alerts’ can also be used on files such as attachments, where you may have a digital image of an employee’s license or passport.
If you are a culprit of holding customer credit card information in custom fields, it’s time to clean up your practices and remove that information from your system. Alternatively, use secure integrated payment systems such as Square and Stripe. This is necessary because information contained in custom fields can be seen by your internal teams, by simPRO, and through any integration you have connected to the simPRO platform. So if it’s sensitive, get rid of it.