Everyone doesn’t need to know. Don’t give everyone access to everything. If they don’t need to know or don’t actively work on the data then they shouldn’t have access to it. Restrict access via unique user names and passwords. Job duties, not the job title dictate the access granted. Review and revoke access as required at least yearly and upon every job change.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Stacy Eldridge, Founder and Data Protection Evangelist at Silicon Prairie Cyber Services LLC. Stacy helps small businesses protect their business, their information, and their customers from cybercriminals using a 3 phased approach that is proven to prevent 80% of cyber-attacks.
Stacy’s security career includes conducting hundreds of digital investigations at the Federal Bureau of Investigation, managing the Data Loss Prevention program for General Electric, and leading cybersecurity programs responsible for the protection o f critical infrastructure. Through the years Stacy has seen to many horrible things happen to good people and to good businesses. Stacy knew their had to be a better and simpler way to provide small businesses with the cybersecurity services that they needed and deserved to have. Today, Stacy focuses on providing her clients with the education and tools necessary to stop cybercriminals in their tracks using a simplified approach tailored to the small business owner. Stacy is working to launch a new service that will increase brand visibility and awareness for clients by reducing the delivery of their emails to spam.
Stacy has spoken at the Nebraska Cybersecurity Conference, FemCity, This Is It TV, AITP, the SCC and UNL Entrepreneurial Centers, and Women in Tech of the Heartland. Stacy is a licensed private detective and has the following certifications: GSEC, GCCC, GCFE, ACE, and CFCE and received her Master of Science from Bellevue University in 2006.
Stacy resides in Bennet, NE with her husband and son, and looks forward to traveling the world again someday soon!
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up on a farm not too far from Lincoln, Nebraska. I went to the same school in the middle of a cornfield for grades K-12. I think I’m really lucky to be part of the generation that was the last to freely roam outside, use a rotary phone, have a non-digital past, and see the future quickly become the past.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I was drawn to technology at an early age. All it took was playing Oregon Trail on an Apple IIe at school, printing banners at a friend’s house, and the Logo programming class in 5th grade to know that technology was for me. I thrived in my computer programming classes in high school and pursued a bachelor’s degree in information technology because I found those classes challenging. I spent most of my high school days deeply involved in the Civil Air Patrol, and I had planned to join the Air Force. I landed a a terrific job as a software developer before I completed my degree and I never got around to joining the Air Force. My next career move was into the Federal Bureau of Investigation, which was the launching point for my security career. I loved the contributions I could make in the FBI by putting my technical know-how to use by conducting investigations on computers and digital media to determine the facts of the case. It was a great fit to be techy while making a difference in society.
Can you share the most interesting story that happened to you since you began your career?
The most interesting story that comes to mind was the time when the FBI was literally laundering money. The team was executing a search warrant for a case involving drugs. I remember being nervous on the search because SWAT came with us because of the strong possibility of violence. It was a rarity to have the SWAT team along. I was there to search and seize digital media like laptops and thumb drives but to find them looking through everything right along with the rest of the team. I remember we kept finding one or more weapons in every room of the house, now it’s clear why SWAT was there. The team also needed to locate and seize a large sum of cash tied to the investigation. They found the cash underneath the house in the crawl space that was flooded with sewage (who says the FBI isn’t glamorous?). The case agent contacted the Treasury Department to determine how to clean the money. They advised him to take the money to the laundromat to wash it. Imagine a team of FBI agents literally laundering money at the laundromat. Then some poor soul had to iron all the money afterward so it could be put back in circulation. If you didn’t think cash was dirty before, I think you might now.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’m grateful for Chris Pluhar. Chris was my supervisor when I was in the Los Angeles office of the FBI. He helped me stretch my investigative and technical skills when examining digital media for evidence so I could do it better and faster. He encouraged me to experiment with new technologies and techniques. If it wasn’t for him, I never would have known how much of an asset Linux could be to my toolbox. He assigned me large and complex cases to work on, which stretched my thinking and approach. It made me get better with every case I worked on, which meant more detailed results and more cases worked. He also did an excellent job of artfully helping me work on my development needs while simultaneously recognizing my strengths and praising my wins. He was the best supervisor I had while I was in the FBI.
Are you working on any exciting new projects now? How do you think that will help people?
I am working to launch a new course that will help small business owners increase the reach of their email list by taking their email from spam to seen by getting their emails delivered to the inbox. This will help small business owners increase their open rates and conversion metrics, which leads to an increase in visibility and brand awareness. It’s hard to build trust and grow a business when nobody sees your emails, and this information will solve that problem.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Work for a company that fosters a culture that aligns with your authentic self rather than changing yourself to fit the company. We spend more time at work than with our families and friends, so it’s important to find a work home where you can be yourself. You will be more productive, energetic, and trustworthy when you’re not having to fake it all the time. You’ll be able to focus on the steps required to meet your goals rather than worrying about how you need to show up. Not only will being authentic make you a better, more confident leader it will also make people more comfortable around you which fosters a better work environment for everyone.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
A variety of statutes exist today that require businesses to provide reasonable security for sensitive information. Notable statues with varying levels of reach include the California Privacy Law (CCPA), Federal Trade Commission Act, the General Data Protection Regulation (GDPR), and they all have the same end goal to protect an individual’s privacy and information.
To meet these types of legal requirements businesses must know what information they are storing, where it’s at, and how long they’re going to keep it. They must protect the information by restricting access to it physically and electronically. Require locked rooms, usernames and strong passwords, and encryption to restrict access. When it’s time to destroy the information, you need to have a solution in place to securely destroy it so recovery isn’t possible. This can range from shredding papers to securely erasing hard drives. This all becomes much more manageable when businesses keep only the required information and no more.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
The best practice is to only keep the information as long as you need it to conduct business. It will vary depending on the type of information and any regulatory obligations you must meet. You can destroy most information when it’s two to three years old.
In the face of this changing landscape, how has your data retention policy evolved over the years?
My data retention policy has moved away from technology and tools to knowledge. You must know what you have and keep it simple. The first step is getting to know the type of information you have. Second, determine what information is mandatory, and keep only the must-haves. Third, determine the value of that data either by cash value or potential risk to the company should the information fall into the wrong hands. It’s a whole lot simpler to protect a small set of data when you know how valuable it is and how much protection it requires based on its value.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Data retention policies should be simple, easy to understand and follow. Extremely long policies written in the style of legal contracts serve no one. I build my data retention policies and procedures upon the pillars of data classification, data value, and regulatory requirements. Reduce the odds of data lingering for years by creating requirements for data backups too. Don’t forget to include how you’ll handle pending litigation.
My operational procedures for data retention revolve around keeping only the must-have data, restricting access by user, require a strong password and MFA, keep it encrypted, and keep it backed up. When no other regulations apply, I destroy information at the two-year mark.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
I remember when I was working in the Data Loss Prevention department at General Electric and GDPR was coming out. We were a little unhinged and worried about how we would keep the program afloat and be able to protect the crown jewels effectively in the future. After spending a lot of time worrying about GDPR I lean towards not worrying about pending legislation and instead make an action plan once it’s finalized. When attempting to develop a policy for something that’s pending and always changing, it’s like trying to hit a moving target. You will not be successful and it only increases frustration for you and your staff. Instead, wait until it’s finalized and then develop a project plan to meet the requirements. In my experience, they give you a reasonable amount of time to create and implement the policy.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools today allow you to become extremely granular with the policies you set within them. This reduces the problem of saving too much or too little because the tech couldn’t be configured correctly. Each organization should research multiple tools to identify that tool that will best meet the needs of your unique situation. Leverage request for proposals (RFP) because it will save you more time than you realize. List your tool functionality requirements in the RFP and let the vendors come to you. Spend your time evaluating the options that meet your requirements rather than researching everything that might fit the bill.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
These incidents show the fundamentals are the cornerstone of success to protect your business, your customers, and your data. When you intimately know the information and assets you have coupled with knowing normal data flows you’ll have a winning protection strategy. Begin with the basics as outlined in the Critical Security Controls and go layer by layer to implement those protections that prevent attacks. I’m tired of solutions and standards that fall into the category of good cyber hygiene and aren’t evidence based. Your defense strategy must be based on techniques and solutions that are proven to prevent cyber attacks that are happening today. A prominent example of this was the previous standard that a password needs to be at least 8 characters long and changed every 90 days. Years later, the standard creator shared it was completely arbitrary. You need to know how data breaches start and focus on preventing that; the Critical Security Controls do an outstanding job of prioritizing this for you. Keep it simple by eliminating devices that are not actively used or monitored. You know the story, the year end purchases or the things that seemed cool to use. They get plugged it in, but never configured and now it doesn’t provide any value or actionable data.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Keep it simple. Write policies in plain English and make them easily understood by anyone accountable, responsible, consulted, or informed of the policy. Divide your data retention strategy into three separate documents: the policy, the standard, and the procedure. The policy is the formal statement of your data retention approach that must be followed. The standards address the specific configurations and technologies that must be used. Procedures are step-by-step instructions or checklists that must be observed to comply with the policy. This type of breakdown simplifies the changes and approvals processes.
- Know what you have. If you don’t know what you have, you can’t protect it, let alone destroy it when the time comes. Figure out what you have and catalog it according to your data classification policy.
- Map your data. Just like every good explorer needs a good map, you’ll need a good map to track and catalog all your data. As mentioned above, identify the stored information, where it’s at, and how long you’re going to keep it. You can go deeper and track data type, purpose, value, risk, retention justification, retention length, where it’s stored, and who can access it. Set a reminder to review that map every year to keep it up to date.
- Everyone doesn’t need to know. Don’t give everyone access to everything. If they don’t need to know or don’t actively work on the data then they shouldn’t have access to it. Restrict access via unique user names and passwords. Job duties, not the job title dictate the access granted. Review and revoke access as required at least yearly and upon every job change.
- Encryption is king. Encrypt. Encrypt. Encrypt. You should be encrypting at every opportunity. It’s important to not only encrypt your information but all of your devices as a whole including mobile phones and thumb drives. Encrypt your data when it’s moving and when it’s at rest. Encryption can reduce your exposure during a breach. If someone gains unauthorized access, everything on the network won’t be wide open for prying eyes.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I’d like to ask everyone to use their influence in this movement. I’d like to inspire more people to implement DMARC policies. All businesses, but especially medium to large size businesses, need to implement DMARC, DKIM, and SPF policies. Depending on the complexity of email usage in your business, it might not be fast, but it will be super effective, and everyone can do it. When you have all three policies implemented, you will gain two tremendous benefits. First, you can stop others from spoofing your email addresses and protect your brand. Second, you can reduce the number of phishing emails that are coming into your organization, thus reducing the risk of a cyber attack.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!