Knowing what data owners have and where it is located will allow them to explore their risks, related state and federal regulations, and designate a privacy officer at the company.
The plan should also include some simple workforce education on how data breaches come about and what can be done to prevent them.
In addition, an outside information technology company should perform a risk assessment.
Craig Petronella, president of Petronella Technology Group in Raleigh, said owners can protect themselves by having a good backup system, testing it regularly and establishing a security policy that defines when everything is patched.
“And the protocol to fulfill that,” he said. “Then there should be testing of the patches.”
Other measures include implementing two-step password authentication and having a firewall that is patched and up to date. They should implement monitoring that goes beyond a firewall and looks at the traffic to detect malicious activity.
Also, Petronella said, a large number of people are sending sensitive information via email, which is not secure.
“Think of email as a postcard where all info is written on the outside of the package,” he said.