Whether you’re an employer or channel-driven organization, you’re likely under a lot of scrutiny and regulation to protect the considerable amounts of personal data that’s collected on your employees and partners. The amount of data being collected grows even larger when you start to think about the event, incentive and employee recognition programs you have in place.
The truth is, we need data to run a smart engagement program to know:
- How well participants are performing.
- What products are being sold.
- What financial returns are being generated.
- And more.
It’s great to have all that data in an accessible, analyzable spot online, but you’re also opening up the possibility of a data breach. In the wrong hands, that data can be incredibly harmful.
Here are a few best practices to follow to ensure your program doesn’t fall prey to malicious or accidental data breaches. If you work with a third-party provider who manages your event, incentive or recognition program, make sure they follow these best practices rigorously and also meet the requirements of industry compliance regulations you are held accountable for like SOX, GLBA, FedRAMP, FISMA, GDPR, CCPA and many others.
Encrypt All Program Data
With any event, incentive or recognition program, there’s a lot of data. And, complicating matters further, much of that data doesn’t sit in one place—it’s being transmitted from system to system.
According to Digital Guardian, one of the most effective data protection methods for data in transit and data at rest is data encryption, which converts and conceals information—and only the receiving computer can unscramble it.
For your programs, all personally identifiable information should be encrypted both in transit and at rest. This keeps participants’ information safe and safeguards your business from data loss.
Perform Penetration Tests
Proverbially speaking, the best way to get to know someone else is to walk a mile in their shoes—to put yourself in their place. And the best way to ensure your data is safe from harm is to pretend like you’re a hacker interested in stealing that data.
Start with performing vulnerability scans on your systems and remediate those findings to eliminate doors that hackers see as low-hanging fruit—such as missing patches.
But don’t rely just on vulnerability scans. Hire information security professionals trained to perform penetration tests, which involve the use of attack methods and tools that are leveraged by hostile intruders or hackers. They’re a great way to identify vulnerabilities of a system, according to SANS.org, and help upper management stay aware of potential setbacks and appropriately respond to problems.
Ensure Network Security
Shops, restaurants, hotels—it seems like there's free Wi-Fi everywhere these days. And, if your event, incentive or other initiative takes your participants off-site, you might discover your venue or hotel offers free Wi-Fi, too.
But are those free networks secure? Not always.
Open Wi-Fi networks are not always safe, even if you have to type a password in. And that means your data—and the data of everything and everyone involved with your program—is at risk.
Instead of the network the venue offers, make sure you use a VPN (virtual private network), which ensures that only authorized users have access to the data you’re transmitting and minimizes risk of data being accessed by unauthorized parties.
This doesn’t mean you need to put all of your attendees on a private network. At a minimum your event registration, check-in and anyone dealing with personally identifiable information (PII) needs to be using a connection that is secure and protected.
Back at the office, your people still need a secure data connection to ensure safe program participation. ZDNet recommends a host of network security measures, including antivirus software, firewalls, intrusion detection devices and more.
Limit Access to Data
While much of your program data is in transit—moving back and forth on the network—some is at rest on servers. To prevent this data from ending up in the wrong hands, access to your program’s data must be restricted in order to ensure safety.
User access to data should also be limited to personnel that need to access the data. Following the Principle of Least Privilege, you can ensure that your data will be restricted to only those that need to use it.
According to an article from Tech Republic, data stored on servers should be kept under lock and key. Only authorized personnel should be allowed near it to reduce risk of accidental damage to data or malicious theft. Physical access to servers should be tracked with the use of security cameras and badge/biometric access systems. If you have data stored on your local hard drive, make sure you have disk encryption enabled on that hard drive and keep the data off of flash drives.
If you’re planning an event or incentive travel program, make sure all event spaces are equipped with appropriate security access measures—keycards, lanyards and more.
Vulnerable data doesn’t only exist in digital form. Paper brochures, handouts and other pieces of physical information may accidentally be left behind. Keep paper shredding services on hand, avoid using flash drives and do final sweeps of venues to make sure no sensitive program data is abandoned.
Track Data Access
Who last accessed your program files, and which files did they access? If you don’t know, or if you can’t find out, it’s hard to pin down which person stole or damaged information.
By having the ability to track access to your program’s data and report on anomalous activity, you’ll have an added layer of security should anyone make it past your safeguards.
When you're sharing files, be sure that you're using approved secure platforms for transmitting the data.
Back Up and Test Your Data
Eventually, hard drives fail. And if your data’s not backed up, that means it’s gone forever. While it’s a common information security best practice to have data backups, ensuring that those backups work and can be recovered is imperative.
Make sure you have a tested data-backup and system-recovery process in place to ensure program downtime is kept to a minimum.
Be prepared for all types of risks that could cause data loss. In the case of natural disaster or a site-wide blackout, employ an off-site data center to create back-ups and redundancy for all your critical data, make sure your partners are ensuring the safety of your data they hold, too.
Consider Limiting Social Media
Is social media right for your initiatives? That depends on how sensitive your industry is and what your program entails.
If you’re running an incentive program to encourage your team to sell more power tools or computers, it might be fine for them to brag about that on social media. However, if you’re operating a program that deals with sensitive issues, consider a restriction on social media to prevent your people leaking potentially touchy information.
Comply With Ongoing Updates to Data Privacy Laws
Privacy regulations about a person’s right to control the data that organizations keep about them is at the forefront of the minds of who work with event, incentive, and employee recognition programs. The laws surrounding GDPR (General Data Protection Regulation) that regulates the personal information we receive that comes from Europe and Switzerland is leading the way for changes in the United States for laws like California’s CCPA.
It is in every organization’s best interest to make plans and require vendors to comply with these laws now. In the US, organizations can use Privacy Shield, the framework regulated and enforced by the US Federal Trade Commission, to comply with GDPR.
Vet Your Third-Party Services
With an evolving array of online tools that help optimize events, incentives and recognition programs at professionals’ disposal, it makes sense to partner with third-party service providers that help with data management, analytics and more. But when you use a third-party service provider, it’s like giving them a key to your house. The more keys there are out there, the more risk that could arise.
When hackers look to steal your data, they won’t try to hammer their way through your firewall. They look for the least secure system with access to the data they need, and, many times, that’s a third-party source. That’s why it’s crucial to vet your third-party sources carefully. Only offer your data to external vendors that follow rigorous security standards.
The more program participants you have, the greater end results you’ll get. However, you’ll also see a greater risk of data loss or theft. When partnering with a company to manage your events, incentives or recognition programs, pick one with proven expertise in keeping your program data secure.