Pay close attention to privileges/permission. Only users that absolutely need access should have access. If all users are given access to sensitive data by default because they might need it someday you are opening up a larger vulnerability gap than restricting to only those that absolutely need access. Also, it is critical to make sure off boarding is done quickly and reliably when a user no longer needs access.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Steven Knight. He has a BA in Computer Science from Central College (Pella, IA) and an MS from DePaul University (Chicago, IL) with a focus in computer, information, and network security. Steven has been working in a professional capacity with networking and security for ten years. His current responsibilities at Hey DAN include helping to secure communications platforms as well as supporting a workflow used by 50 of the top 250 asset managers worldwide. Steven’s responsibilities include updating, implementing and deploying Hey DAN’s security policy as best practices evolve. Learn more about what Steven is up to at https://heydan.ai/
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up with both of my parents being heavily involved with computer programming. Because of this I had access to computers from an early age and was able to experience much of the explosive growth revolving around home personal computing and the Internet.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I have always been interested in computers and technology but I didn’t always want to follow it as a career path. When I started my undergraduate degree I was determined not to major in computer science because I didn’t want to work in a field related to my favorite hobby — some fear that “work” would corrupt what I enjoyed. I couldn’t have been more wrong and am extremely happy I changed my mind.
Can you share the most interesting story that happened to you since you began your career?
I always find it interesting/nice when I can submit bug reports or feature requests to third party software or hardware vendors, and the problem actually gets fixed or implemented in a timely manner. I don’t have a specific case. I just enjoy being able to help make a product a little better.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My parents were always very supportive of me during my education, and also with helping me understand how important computers would become. At a very young age I remember my parents reviewing a simple QBasic program I had made for fun. This was during a time when only 1 or 2 of my classmates even had a home computer. I don’t remember what the program did, but I do remember it consisted of many GOTO statements. I would later use similar skills to write simple applications on my graphing calculator during high school.
Are you working on any exciting new projects now? How do you think that will help people?
Hey DAN is always working on something new, which certainly keeps things exciting. Most recently I’ve been involved with a new method of connecting a telecom carrier to our conferencing platform. When deployed it will enhance communications on our platform.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Don’t be afraid to take time off when you need it. There will always be some critical project or deadline to worry about on the horizon. It is more important to produce quality work with your mind in the right place. Take up hobbies that don’t involve an electronic screen!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Different specific laws or regulations will apply in different cases, but the short version is that businesses have a legal obligation to protect customer data from unauthorized disclosure. This obligation to protect data is met by implementing clear data policies that cover things like what data is collected, how that data is used, how long it is stored, access control lists, ensuring data is encrypted, etc. It is important that the customers/clients are satisfied with how their data is used and protected.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Some general best practice tips would be to encrypt data at rest and in transit. Security controls, and how that data is accessed is also another critical component. Customer information should certainly be destroyed at a point, but that specific point (outside of legal requirements) will vary based on the data collected, and the particular business application with that data.
In the face of this changing landscape, how has your data retention policy evolved over the years?
I think our data retention policy is more clearly outlined now than years ago, but the fundamentals of the data retention policy have not changed much.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
All data is encrypted in storage. Different types of data are stored for different durations. Some data is removed at regular intervals.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
GDPR was a pretty big event related to data protection that we devoted a lot of resources to. Most data protection legislation follows similar principles that Hey DAN has always upheld, so I am not worried about any future legislation.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
We handle everything in house so I cannot state if tools have matured to help manage data retention practices, or recommend any particular tools.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
Anytime there is an outage (or a breach) that impacts other companies it is important to look at what went wrong and ensure that you do not run into the same problem. We strive to regularly review security, policies, audit systems, and revise training to employees; all to ensure we stay on the leading edge of data protection.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
I think by now we have touched on most of these through my answers from other questions:
1. Ensure that your sensitive data is encrypted no matter where it is (at rest and in transit). If data is only encrypted sometimes or in some cases then you will not have complete protection from another potential set of eyes on it.
2. Pay close attention to privileges/permission. Only users that absolutely need access should have access. If all users are given access to sensitive data by default because they might need it someday you are opening up a larger vulnerability gap than restricting to only those that absolutely need access. Also, it is critical to make sure off boarding is done quickly and reliably when a user no longer needs access.
3. Have clear data use and retention policies. It is important to outline the exact plan for data, and how it is to be retained. This is helpful to share with clients/customers, but it is also important to make sure your technical team is following these policies.
4. Regularly audit/review systems. Be sure policies are actually being followed, and no cases are falling through the cracks. Just because a policy is established for a certain case doesn’t necessarily mean it is always done. Take the time to verify, at a regular interval.
5. Don’t forget about the users! Many security experts consider users to be the biggest threat. Take time to train everyone about potential attack vectors and the importance of protecting data. It doesn’t matter how robust the security of backend/technical solutions may be if a customer facing employee can be easily tricked into giving the wrong information out.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would just encourage everyone to be as compassionate and caring for others as possible.
How can our readers further follow your work online?
You can always find what we are up to at https://heydan.ai/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!